Revoke a Token


The OAuth 2.0 Revoke a Token filter is used to revoke a specified OAuth 2.0 access or refresh token. A revoke token request causes the removal of the client permissions associated with the specified token used to access the user's protected resources. For more details on supported OAuth flows, see API Gateway OAuth 2.0 Authentication Flows.

OAuth access tokens are used to grant access to specific resources in an HTTP service for a specific period of time (for example, photos on a photo sharing website). This enables users to grant third-party applications access to their resources without sharing all of their data and access permissions. OAuth refresh tokens are tokens issued by the Authorization Server to the client that can be used to obtain a new access token.

Revoke Token Settings

Configure the following fields on this tab:

Revoke token from this cache:

Click the browse button to select the cache to revoke the token from (for example, the default OAuth Access Token Store). To add an access token store, right-click Access Token Stores, and select Add Access Token Store. You can select to Store in a cache or Store in a database. For more details, see the following topics:

The Purge expired tokens every setting specifies the time interval in seconds that the database or cache is polled for expired tokens. Defaults to every 60 seconds.

The application registry is stored in the following KPS:

Enter the Key Property Store (KPS) in which the application registry is stored. The application registry contains the applications registered with the Authorization Server that are permitted access to specific scopes and resources. Defaults to the example ClientApplicationRegistry, which is available at the following URL:


For more details, see the topic on Key Property Stores.

Find client application information from message:

Select one of the following:

  • In Authorization Header:

    This is the default setting.

  • In Query String:

    The Client Id defaults to client_id, and Client Secret defaults to client_secret.


The settings on this tab configure service-level monitoring options such as whether the service stores usage metrics data to a database. This information can be used by the web-based API Gateway Manager tool to display service use, and by the Oracle API Gateway Analytics tool to produce reports on how the service is used.

Monitoring Options

For details on the Monitoring Options fields on this tab, see the Monitoring Options in Set Service Context.