How toRevoke a Refresh Token in OAuth2

When using refresh tokens in OAuth2, it's important to have a proper revocation mechanism in place—especially when users log out or when a token is suspected to be compromised.

The OAuth2 specification defines a revocation endpoint that clients can call to explicitly invalidate a token, preventing it from being used again.

How it works

To revoke a refresh token, your application should send a POST request to the authorization server’s revocation endpoint.

You need to include:

• The token you want to revoke
• The token_type_hint (optional but recommended)
• Client authentication (usually using client_id and client_secret)

Here’s how to do it in code:

await fetch(new URL("/revoke", issuer), {
  method: "POST",
  headers: {
    Authorization: `Basic ${btoa(clientId + ":" + clientSecret)}`,
    "Content-Type": "application/x-www-form-urlencoded",
  },
  body: new URLSearchParams({
    token: refreshToken,
    token_type_hint: "refresh_token",
  }),
});

This will invalidate the refresh token so it can no longer be used to obtain new access tokens.

Keep in mind that some providers also allow revoking access tokens the same way—just change the token_type_hint to "access_token".

Want to master secure OAuth2 flows in React Router apps?

📘 My book React Router OAuth2 Handbook is now available!

It covers everything from the basics to advanced topics like PKCE, refresh tokens, and E2E auth testing.

→ books.sergiodxa.com/release