Revoking Authorization

Required plan: Starter

You may wish to revoke your access on behalf of your users rather than directing them to our site, for example when they unsubscribe from your service or no longer want to use your calendar integration features.

Authorization is revoked as specified in RFC 7009, authentication is performed by including your client_id and client_secret, as issued by Cronofy, within the body of the request.

As with the rest of the API, all requests can be made with a JSON- or forms-encoded request body, though a JSON-encoded request is recommended. You must specify the Content-Type header of your requests as either application/json; charset=utf-8 or application/x-www-form-urlencoded to signal your request body is JSON- or forms-encoded, respectively.

Once revoked, authorization can only be regained by requesting it again.

This endpoint may be used to revoke individuals’ authorizations, or Service Account Authorizations.

When revoking the Authorization for a Service Account, all related individual accounts which were authorized via the Service Account will also have their Authorizations revoked.

URL format #

{data_center_url}/oauth/token/revoke

Example Request #

POST /oauth/token/revoke HTTP/1.1
Host: {data_center_url}
Content-Type: application/json; charset=utf-8

{
  "client_id": "{CLIENT_ID}",
  "client_secret": "{CLIENT_SECRET}",
  "token": "{TOKEN}"
}

Example Response #

HTTP/1.1 200 OK

Request parameters #

data_center_url required

The URL for the data center you want to communicate with. Possible choices are:

api-au.cronofy.com - 🇦🇺 Australia
api-ca.cronofy.com - 🇨🇦 Canada
api-de.cronofy.com - 🇩🇪 Germany
api-sg.cronofy.com - 🇸🇬 Singapore
api-uk.cronofy.com - 🇬🇧 United Kingdom
api.cronofy.com - 🇺🇸 United States

Find out more about Cronofy's data centers.

client_id required #

The client_id issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your client_secret.

client_secret required #

The client_secret issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your client_id.

token optional #

Either token or sub are required. token will take priority if passed.

Either the refresh_token or access_token for the authorization you wish to revoke.

It is recommended that you use the refresh_token as that cannot have expired and therefore be impossible to revoke. RFC 7009 does not provide any provision for a different response when the provided token has already been revoked, has already expired, or does not exist.

Passing either a refresh_token or an access_token will revoke the corresponding refresh_token and all related access_tokens.

sub optional #

Either token or sub are required.

The sub value for the account you wish to revoke.

Response parameters #

This request has no response body.

Error responses #

400 Bad Request #

Follows the format specified in section 5.2 of RFC 6749, common examples are provided for reference.

Invalid Client

Signifies an unrecognized combination of client_id and client_secret.

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8

{
  "error": "invalid_client"
}

This error can be resolved by ensuring your client_id and client_secret are set correctly. Alternatively, you may ask Cronofy to issue you new client credentials but be aware that this will revoke all existing Access and Refresh Tokens.