Revoking a token with revoke api

I have a token that was generated for an OIDC application in a device authorization grant_type flow. I want to revoke the token to test some token refresh logic. When I try to POST to the /revoke endpoint via Postman the response received is:

    "errorCode": "invalid_client",
    "errorSummary": "No client credentials found.",

From Okta docs I see that it requires client authentication. The app does not have a client secret so I cannot put that into body or a basic auth header. I’ve seen an example in the forum here where just passing token, hint and client_id should work provided that these items are true, which is correct in my case.

  • the cid claim inside the access token matches the client_id declared in the body
  • the token is revoked on the same authorization server that was used to generate it
  • the OIDC application is active inside your Okta org

However that just returns the invalid client error. Here is a redacted sample of what I’m sending

curl --location --request POST '' \
--header 'Accept: application/json' \
--header 'Authorization: Basic' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyJra...
--data-urlencode 'token_type_hint=access_token' \
--data-urlencode 'client_id=...'

Hi @sdunning! Looks like you should add ‘Authorization: none’ instead - OpenID Connect & OAuth 2.0 API | Okta Developer - since you don’t have a client secret and in this example I see that it is not even included Configure Device Authorization Grant Flow | Okta Developer. Please give that a try and let us know if that worked. Also, here are all other possible request params to this endpoint - OpenID Connect & OAuth 2.0 API | Okta Developer.


My mistake, I totally overlooked that I was sending ‘Authorization: Basic’ in the headers. Once I removed that I get a 200 response back. Thanks!!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.