The POST /{environmentId}/as/revoke endpoint revokes the token specified in the request body. Tokens issued for the PingOne API resource may not be revoked because the PingOne APIs do not use the introspection endpoint.

The POST /{environmentId}/as/revoke endpoint uses the same authentication method as the POST /{environmentId}/as/token endpoint, and uses the value from the application’s tokenEndpointAuthMethod to determine the configuration. If the tokenEndpointAuthMethod is set to CLIENT_SECRET_BASIC, the Authorization: Basic <headerValue> represents a Base64-encoded representation of "username:password", in which the username is the client_id and the password is the client_secret.

If the application’s tokenEndpointAuthMethod is set to CLIENT_SECRET_POST, the request body contains the client_id={appID}&client_secret={appSecret} parameters to authenticate.

If the authentication method is accepted, and the token contains the necessary iat and sid claims, the response returns a 200 code with an empty body.

If the token is invalid or if the token does not include the necessary iat and sid claims, an unsupported_token_type error is returned as directed in OAuth 2.0 Token Revocation RFC7009 (section 2.2.1). If the aud claim identifies a platform token, an unsupported_token_type error response is returned.