How toRevoke a Refresh Token in OAuth2

When using refresh tokens in OAuth2, it's important to have a proper revocation mechanism in place—especially when users log out or when a token is suspected to be compromised.

The OAuth2 specification defines a revocation endpoint that clients can call to explicitly invalidate a token, preventing it from being used again.

How it works

To revoke a refresh token, your application should send a POST request to the authorization server’s revocation endpoint.

You need to include:

• The token you want to revoke
• The token_type_hint (optional but recommended)
• Client authentication (usually using client_id and client_secret)

Here’s how to do it in code:

await fetch(new URL("/revoke", issuer), {
  method: "POST",
  headers: {
    Authorization: `Basic ${btoa(clientId + ":" + clientSecret)}`,
    "Content-Type": "application/x-www-form-urlencoded",
  },
  body: new URLSearchParams({
    token: refreshToken,
    token_type_hint: "refresh_token",
  }),
});

This will invalidate the refresh token so it can no longer be used to obtain new access tokens.

Keep in mind that some providers also allow revoking access tokens the same way—just change the token_type_hint to "access_token".

I'm writing a book about OAuth2 in modern web apps using React Router & Remix.

Coming soon at books.sergiodxa.com