How to revoke OAuth token generated from OAuth2 plugin

I can not find any API for revoking access token in OAuth2 plugin documentation. How can I do that?



Please try this request:

curl -X DELETE http://kong:8001/oauth2_tokens/<your-token-uuid>

It should remove the token from the database.

I have created an issue to include those endpoints in the docs, thanks for reporting this and apologies if this has caused you any trouble.

Thank you very much, It worked.

1 Like

Is it possible to delete multiple tokens in single request?

No, the endpoint only allows 1 token UUID per request.

I don’t get why Kong doesn’t provide a revoke endpoint. It should be its responsibility.

@kikito Your example would work but I would say for debugging purpose it would be better to flag revoked tokens instead.
Kong could use a revoked_at field in its db for example to store the date when the client revoked his token.

The resources we have as a company aren’t unlimited. Probably we’ll end up doing what you suggest, but right now other developments are more prioritary to us.

If it’s important for you, can I suggest sending us a PR? That would accelerate the process.

There are a lot of standards in OAuth 2.0 space, such as Revocation that is not part of the base standard, but defined in another: There is almost no upper limit what your Identity Provider could have. Though, I agree Revocation and Introspection endpoints would be nice to have in our plugin, but it could also have support for OpenID Connect, JWT tokens (both JWS/JWE maybe), etc.

We do provide in our EE version of the product a very full featured OpenID Connect Relying Party Plugin that you can use to integrate with some big-player identity solutions (there are also a third party plugin here:, such as Google, Microsoft, Okta, PingFederate, OneLogin, Auth0, Yahoo!, SalesForce, Paypal, Connect2id, IdentityServer4, OpenAM, Gluu, Keycloak, Dex, to mention a few. But as long as your identity provider supports OpenID Connect standard you can integerate with it.

All that said, I think revocation is high on the list of what should be in OAuth 2.0 Plugin. We are happy to receive a pull-request for it.