Delete token APIedit

Invalidates a bearer token for access without requiring basic authentication.

Requestedit

DELETE /_xpack/security/oauth2/token

Descriptionedit

The tokens returned by the get token API have a finite period of time for which they are valid and after that time period, they can no longer be used. That time period is defined by the xpack.security.authc.token.timeout setting. For more information, see Token service settingsedit.

If you want to invalidate a token immediately, use this delete token API.

Request Bodyedit

The following parameters can be specified in the body of a DELETE request and pertain to deleting a token:

token (required)
(string) An access token.

Examplesedit

The following example invalidates the specified token immediately:

DELETE /_xpack/security/oauth2/token
{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ=="
}

A successful call returns a JSON structure that indicates whether the token has already been invalidated.

{
  "created" : true 
}

When a token has already been invalidated, created is set to false.