Access Tokens
Access tokens are a way of a service verifying that a user has been previously authenticated.
Access token IDs are not numerically based as that allows potential attackers to try enumeration attacks (IE, if they create a token with the ID 10, they know theres a good possibility that there are 9 previous tokens.)
Instead, we use UUID4 based IDs. The ID of a token is found within the decoded JWT token payload, in the JTI claim.
Revoke Access Token
This endpoint will revoke an access token, and if there's an associated refresh token, that will be revoked as well to prevent it just being regenerated.
When a token is revoked, services won't instantly know. Instead, an API will randomly check a tokens validity and if it's been revoked or expired will return a 4xx status error.
This endpoint will return a 204, empty response status if the access token was successfully revoked. For any errors, a 500 error is returned.
URL Parameters
- Name
token_id- Required
- Type
- string
- Description
The ID of the JWT token to revoke
Request
use Compliance\Sdk\Authentication\OAuth\Contracts\OAuthSdkInterface;
use Compliance\Sdk\Authentication\Types\Machine;
private OAuthSdkInterface $sdk;
$response = $this->sdk->v1(new Machine())->revokeAccessTokenById('6015af12-c06b-4995-bb03-260e8590d22c');