The POST /{environmentId}/as/revoke endpoint revokes the token specified in the request body. The token’s scope claim must specify a custom scope, and the aud claim specifies the resource associated with the custom scope.

The POST /{environmentId}/as/revoke endpoint uses the same authentication method as the POST /{environmentId}/as/token endpoint, and uses the value from the application’s tokenEndpointAuthMethod to determine the configuration. If the tokenEndpointAuthMethod is set to CLIENT_SECRET_BASIC, the Authorization: Basic <headerValue> represents a Base64-encoded representation of "username:password", in which the username is the client_id and the password is the client_secret.

If the application’s tokenEndpointAuthMethod is set to CLIENT_SECRET_POST, the request body contains the client_id={appID}&client_secret={appSecret} parameters to authenticate.

Note: This endpoint does not support individual one-by-one access token revocation. This operation revokes all access tokens for the session and application combination. A token must have an associated session (sid) claim to be revoked. If you revoke a refresh token, it also revokes all associated access tokens to that specific session and application combination.

If the authentication method is accepted, and the token contains the necessary iat and sid claims, the response returns a 200 code with an empty body.

If the token is invalid or if the token does not include the necessary iat and sid claims, an unsupported_token_type error is returned as directed in OAuth 2.0 Token Revocation RFC7009 (section 2.2.1). If the aud claim identifies a platform token, an unsupported_token_type error response is returned.