Delete token APIedit

Invalidates a bearer token for access without requiring basic authentication.


DELETE /_xpack/security/oauth2/token


The tokens returned by the get token API have a finite period of time for which they are valid and after that time period, they can no longer be used. That time period is defined by the setting. For more information, see Token service settingsedit.

If you want to invalidate a token immediately, use this delete token API.

Request Bodyedit

The following parameters can be specified in the body of a DELETE request and pertain to deleting a token:

token (required)
(string) An access token.


The following example invalidates the specified token immediately:

DELETE /_xpack/security/oauth2/token
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ=="

A successful call returns a JSON structure that indicates whether the token has already been invalidated.

  "created" : true 

When a token has already been invalidated, created is set to false.