The POST /{environmentId}/as/revoke endpoint revokes the token specified in the request body. The token’s scope claim must specify a custom scope, and the aud claim specifies the resource associated with the custom scope.

The POST /{environmentId}/as/revoke endpoint uses the same authentication method as the POST /{environmentId}/as/token endpoint, and uses the value from the application’s tokenEndpointAuthMethod to determine the configuration. If the tokenEndpointAuthMethod is set to CLIENT_SECRET_BASIC, the Authorization: Basic <headerValue> represents a Base64-encoded representation of "username:password", in which the username is the client_id and the password is the client_secret.

If the application’s tokenEndpointAuthMethod is set to CLIENT_SECRET_POST, the request body contains the client_id={appID}&client_secret={appSecret} parameters to authenticate.

If the authentication method is accepted, and the token contains the necessary iat and sid claims, the response returns a 200 code with an empty body.

If the token is invalid or if the token does not include the necessary iat and sid claims, an unsupported_token_type error is returned as directed in OAuth 2.0 Token Revocation RFC7009 (section 2.2.1). If the aud claim identifies a platform token, an unsupported_token_type error response is returned.