Invalidate a token Added in 5.5.0

DELETE /_security/oauth2/token
Api key auth Basic auth Bearer auth

The access tokens returned by the get token API have a finite period of time for which they are valid. After that time period, they can no longer be used. The time period is defined by the xpack.security.authc.token.timeout setting.

The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once. If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API.

NOTE: While all parameters are optional, at least one of them is required. More specifically, either one of token or refresh_token parameters is required. If none of these two are specified, then realm_name and/or username need to be specified.

application/json

Body Required

  • token string

    An access token. This parameter cannot be used if any of refresh_token, realm_name, or username are used.

  • refresh_token string

    A refresh token. This parameter cannot be used if any of refresh_token, realm_name, or username are used.

  • realm_name string
  • username string

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • error_count number Required

      The number of errors that were encountered when invalidating the tokens.

    • error_details array[object]

      Details about the errors. This field is not present in the response when error_count is 0.

      Hide error_details attributes Show error_details attributes object
    • invalidated_tokens number Required

      The number of the tokens that were invalidated as part of this request.

    • previously_invalidated_tokens number Required

      The number of tokens that were already invalidated.
DELETE /_security/oauth2/token 
curl \
 --request DELETE 'http://api.example.com/_security/oauth2/token' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"token\" : \"dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==\"\n}"'
Request examples
Run `DELETE /_security/oauth2/token` to invalidate an access token. 
{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ=="
}
Run `DELETE /_security/oauth2/token` to invalidate a refresh token. 
{
  "refresh_token" : "vLBPvmAB6KvwvJZr27cS"
}
Run `DELETE /_security/oauth2/token` to invalidate all access tokens and refresh tokens for the `saml1` realm. 
{
  "realm_name" : "saml1"
}
Run `DELETE /_security/oauth2/token` to invalidate all access tokens and refresh tokens for the user `myuser` in all realms. 
{
  "username" : "myuser"
}
Run `DELETE /_security/oauth2/token` to invalidate all access tokens and refresh tokens for the user `myuser` in the `saml1` realm. 
{
  "username" : "myuser",
  "realm_name" : "saml1"
}
Response examples (200)
A partially successful response from `DELETE /_security/oauth2/token`. The response includes the number of the tokens that were invalidated, the number of errors that were encountered when invalidating the tokens, and details about these errors. 
{
  "invalidated_tokens":9, 
  "previously_invalidated_tokens":15, 
  "error_count":2, 
  "error_details":[ 
    {
      "type":"exception",
      "reason":"Elasticsearch exception [type=exception, reason=foo]",
      "caused_by":{
        "type":"exception",
        "reason":"Elasticsearch exception [type=illegal_argument_exception, reason=bar]"
      }
    },
    {
      "type":"exception",
      "reason":"Elasticsearch exception [type=exception, reason=boo]",
      "caused_by":{
        "type":"exception",
        "reason":"Elasticsearch exception [type=illegal_argument_exception, reason=far]"
      }
    }
  ]
}