Skip to main content

Revoke an access token

POST /v2/oauth/token/revoke

Revokes any access token. You need to include your client ID and secret and the access token in the request body.

You can only revoke access tokens using the OAuth application that generated them. During credential rotation, Connect creates a new OAuth application. The new OAuth application cannot revoke old access tokens. For more information, see credential rotation.

Best Practice

For security purposes, ensure that you send credentials only in the request body. Avoid sending credentials as query parameters because this might result in compromised credentials.


client_idstringThe client ID.
client_secretstringThe client secret.
tokenstringThe token to revoke.

Request examples

curl --request POST \
--url \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "string",
"client_secret": "string",
"token": "string"

Response examples

200 Success

// Empty

Authentication Errors

HTTP CodeCauseErrorDescription
403Unauthorized client"unauthorized_client""You are not authorized to revoke this token"
403Query Params Forbidden"query_params_forbidden""Providing OAuth credentials as query parameters may cause them to be compromised. Please reach out to Instacart's security team and have the credentials rotated."