No 'Access-Control-Allow-Origin' header is present error when post to revoke token

I am trying to call the API /v1/revoke from an Angular 6 client with OKTA implicit flow (using library angular-oauth2-oidc). From the sample program, I add a new function revokeToken() as the library doesn’t implement a revoke-token function. I include “http://localhost:8080” as a trusted origin but still get the following error:

I already include the origin in the trusted origin

And this is my function:

revokeToken() {
    const httpOptions = {
      headers: new HttpHeaders()
        .set('accept', 'application/json')
        .set('authorization', 'Basic ' + authConfig2.clientId)
        .set('content-type', 'application/x-www-form-urlencoded')

    const body = {
      'token': this.access_token,
      'token_type_hint': 'access_token'
    }; + '/v1/revoke', body, httpOptions)

What can be wrong?


PS: Revoking an access token with Postman works. It seems the OKTA trusted origin is not taken into account when the /v1/revoke responses (during browser pre-flight check).

Hi @hamdyl

  • The content-type needs to be set to “application/x-www-form-urlencoded” instead of “application/x-www-form-urlencoded/json”. This change applies also for the body of the request
  • If this is a Single Page App, the best solution would be to send the client_id in the body of the request instead of authorization header
  • Make sure to send withCredentials xHR attribute

You can find here a working example using XMLHttpRequest.

Hi @dragos
Thanks for the reply. My app is a SPA.

  • If I set the content-type to ‘application/x-www-form-urlencoded’, I will get an error saying ‘token’ is required. Therefore, I set to ‘application/json’
  • If I move the client_id into the request body, I will get Error 401 (not authorized)
  • I added header ‘withCredentials’ with ‘true’ => still not working

By the way, the link you provided cannot be accessed.

Hi @hamdyl

/revoke endpoint does not accept the parameters in JSON.
You can find below the example.

Revoke token example using XMLHttpRequest

<!DOCTYPE html>
<script type=“text/javascript”>
var baseUrl = ‘’;
var requestPath = ‘/oauth2/v1/revoke’;
var xhr = new XMLHttpRequest();
if (“withCredentials” in xhr) {
xhr.onerror = function() {
alert(‘Invalid URL or Cross-Origin Request Blocked. You must explicitly add this site (’ + window.location.origin + ‘) to the list of allowed websites in the administrator UI’);
xhr.onload = function() {
};‘POST’, baseUrl + requestPath, true);
xhr.setRequestHeader(“Accept”, “application/json”);
xhr.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);
xhr.withCredentials = true;
} else {
alert(“CORS is not supported for this browser!”)