Invalidate a token Added in 5.5.0

DELETE /_security/oauth2/token
Api key auth Basic auth Bearer auth

The access tokens returned by the get token API have a finite period of time for which they are valid. After that time period, they can no longer be used. The time period is defined by the xpack.security.authc.token.timeout setting.

The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once. If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API.

NOTE: While all parameters are optional, at least one of them is required. More specifically, either one of token or refresh_token parameters is required. If none of these two are specified, then realm_name and/or username need to be specified.

application/json

Body Required

  • token string

    An access token. This parameter cannot be used if any of refresh_token, realm_name, or username are used.

  • refresh_token string

    A refresh token. This parameter cannot be used if any of refresh_token, realm_name, or username are used.

  • realm_name string
  • username string

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • error_count number Required

      The number of errors that were encountered when invalidating the tokens.

    • error_details array[object]

      Details about the errors. This field is not present in the response when error_count is 0.

      Hide error_details attributes Show error_details attributes object
      • type string Required

        The type of error

      • reason string

        A human-readable explanation of the error, in English.

      • stack_trace string

        The server stack trace. Present only if the error_trace=true parameter was sent with the request.

      • caused_by object

        Additional properties are allowed.

      • root_cause array[object]

        Additional properties are allowed.

      • suppressed array[object]

        Additional properties are allowed.

    • invalidated_tokens number Required

      The number of the tokens that were invalidated as part of this request.

    • previously_invalidated_tokens number Required

      The number of tokens that were already invalidated.
DELETE /_security/oauth2/token 
curl \
 --request DELETE http://api.example.com/_security/oauth2/token \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"token":"string","refresh_token":"string","realm_name":"string","username":"string"}'
Request examples 
{
  "token": "string",
  "refresh_token": "string",
  "realm_name": "string",
  "username": "string"
}
Response examples (200) 
{
  "error_count": 42.0,
  "error_details": [
    {
      "type": "string",
      "reason": "string",
      "stack_trace": "string",
      "caused_by": {},
      "root_cause": [
        {}
      ],
      "suppressed": [
        {}
      ]
    }
  ],
  "invalidated_tokens": 42.0,
  "previously_invalidated_tokens": 42.0
}