Revoke

Revoke an access or refresh token.

POST/oauth-revoke

These endpoints are used by third-party OAuth integrations (such as Zapier). If you are building a direct server integration, use an API key instead.

Try it

POST

API Key (stored locally in your browser only)

Create an API key in your workspace under Settings → Integrations & API.

Use this when a user disconnects your integration. Implements RFC 7009 — the endpoint always returns 200 with an empty JSON body, even for unknown tokens, to avoid leaking information.

Accepts either application/x-www-form-urlencoded or application/json.

Request body

Body

Name	Type	Description
`token`required	string	The access_token or refresh_token to revoke.
`token_type_hint`	string	`access_token` or `refresh_token` — optional hint to narrow which table is checked first.
`client_id`	string	Your OAuth client ID. Required for confidential clients.
`client_secret`	string	Your OAuth client secret. Required for confidential clients.

Example

bash

curl -X POST 'https://api.wundertreos.com/functions/v1/oauth-revoke' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'token=1d3e5c7f9a1d3e5c7f9a1d3e5c7f9a1d' \
  -d 'token_type_hint=refresh_token' \
  -d 'client_id=your_client' \
  -d 'client_secret=your_secret'

Response

200 OK with body {}. Returns 401 invalid_client only if client credentials are provided but incorrect.

PreviousToken Next Identity