...
When you use the refresh grant to get a new access token, the refresh token is renewed by default. To change this behavior, set the <RenewRefreshTokenForRefreshGrant> element to false. The new refresh token has a new expiry time and the previous refresh token becomes inactive. To change the expiry time of your refresh token, set the <RefreshTokenValidityPeriod> element is in seconds.
Revoking access tokens
After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling the Revoke API using a REST Client. The Revoke API's endpoint URL is https://gateway.api.cloud.wso2.com/revoke. The parameters required to invoke this API are as follows:
- The token to be revoked
- Consumer key and consumer secret key. Must be encoded using Base64 algorithm
For example:
| Code Block |
|---|
curl -k -d "token=<ACCESS_TOKEN_TO_BE_REVOKED>" -H "Authorization: Basic Base64Encoded(Consumer key:consumer secret)" https://gateway.api.cloud.wso2.com/revoke |
| Tip |
|---|
| Even after revoking a token, it might still be available in the API Gateway cache to consumers until the cache expires in approximately 15 minutes. |