Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Simple OAuth Revoke

131 sites Security covered
View on drupal.org

This module adds an endpoint for revoking OAuth 2.0 access and refresh tokens previously issued by the Simple OAuth module. It allows clients to invalidate tokens using requests to the `/oauth/revoke` endpoint, ensuring that the client issuing the token is properly authenticated.

This module implements the token revocation endpoint for OAuth 2.0 as outlined by RFC 7009.

After enabling this module, an /oauth/revoke endpoint will be available to
revoke access or refresh tokens previously obtained by the Simple OAuth module.

Revoking a Token

To revoke a token, a POST request can be made to /oauth/revoke.
The body of the request must be in the application/x-www-form-urlencoded format and contain a token parameter set to the token to revoke.

Authorization

The request must be authorized with the client that originally issued the tokens. The client_id and client_secret can be provided in the request body or via Basic authentication.
Alternatively, a bearer token may be used to authorize the request.

Example

curl --location 'https://example.com/oauth/revoke' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<access or refresh token>' \
--data-urlencode 'client_id=<client id>' \
--data-urlencode 'client_secret=<client secret>'

For more details, see the RFC 7009 specification.

Activity

Total releases
1
First release
Aug 2025
Latest release
10 months ago
Releases (12 mo)
1 ▲ from 0
Maintenance
Slowing

Releases

Version Type Release date
3.0.0 Stable Aug 22, 2025