This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit

Revoke OAuth2 Application

  1. An OAuth client is created when an application access token is generated. When a subscriber creates an application and generates an access token to the application using the API Store, the Store makes a call to the API Gateway, which in turn connects with the Key Manager to create an OAuth client and obtain an access token. Similarly, to validate a token, the API Gateway calls the Key Manager, which fetches and validates the token details from the database. 

    You can revoke the access tokens issued for the application by following the instructions below

    1. Log in to the management console  (https://<HostName>:9443/carbon
    2. In the Main menu, click Service Providers → List.
    3. Select the Service Provider and click Edit.

      Only a user with the relevant permission to manage Service Providers will be able to view/edit the existing Service Providers. A user with only subscribe permission is not able to view or edit the Service Providers. The Admin user by default has permission only to view and edit Service Providers of Applications created by the same user. However, its possible for the Admin user to assign the relevant permission for a particular Service Provider, to itself by navigating to Users and Roles → List → Roles, and then view/edit the Service Provider.

    4. Expand the Inbound Authentication Configurations section and select OAuth/OpenID Configuration
    5. You can revoke/deactivate the OAuth application by clicking Revoke. This will revoke all the tokens given for the application. 

      After an OAuth application is revoked, the consumer secret and all the generated access tokens and authorization codes will be invalid. You will not be able to regenerate access tokens in the API store or using the Token API.

      To re-activate the application, the consumer secret must be regenerated as shown in the next step

    6. To regenerate the secret of the OAuth Application, click Regenerate Secret

      You have to generate new access tokens and authorization codes for the OAuth application through the API Store or using the Token API after regenerating the consumer secret.