# Revoking Authorization

You may wish to revoke your access on behalf of your users rather than directing them to our site, for example when they unsubscribe from your service or no longer want to use your calendar integration features.

Authorization is revoked as specified in <a href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a>,        authentication is performed by including your `client_id` and `client_secret`, as issued by Cronofy, within the body of the request.

As with the rest of the API, all requests can be made with a <a href="http://json.org/">JSON-</a> or forms-encoded request body, though a JSON-encoded request is recommended. You must specify the `Content-Type` header of your requests as either `application/json; charset=utf-8` or `application/x-www-form-urlencoded` to signal your request body is JSON- or forms-encoded, respectively.

Once revoked, authorization can only be regained by [requesting it again](/developers/api/authorization/request-authorization/index.md).

> **INFO:** This endpoint may be used to revoke individuals' authorizations, or Service Account Authorizations.

When revoking the Authorization for a Service Account, all related individual accounts which were authorized via the Service Account will also have their Authorizations revoked.

#### URL format
```
{data_center_url}/oauth/token/revoke
```

#### Example Request
```http
POST /oauth/token/revoke HTTP/1.1
Host: {data_center_url}
Content-Type: application/json; charset=utf-8

{
  "client_id": "{CLIENT_ID}",
  "client_secret": "{CLIENT_SECRET}",
  "token": "{TOKEN}"
}
```

#### Example Response
```http
HTTP/1.1 200 OK
```

#### Request parameters
##### `data_center_url` *(required)*

The URL for the data center you want to communicate with. Possible choices are:

- `api-au.cronofy.com` - Australia
- `api-ca.cronofy.com` - Canada
- `api-de.cronofy.com` - Germany
- `api-sg.cronofy.com` - Singapore
- `api-uk.cronofy.com` - United Kingdom
- `api.cronofy.com` - United States

Find out more about [Cronofy's data centers](/developers/data-centers/index.md).
##### `client_id` *(required)*

The `client_id` issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your `client_secret`.

##### `client_secret` *(required)*

The `client_secret` issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your `client_id`.

##### `token` *(optional)*

Either `token` or `sub` are required. `token` will take priority if passed.

Either the `refresh_token` or `access_token` for the authorization you wish to revoke.

It is recommended that you use the `refresh_token` as that cannot have expired and therefore be impossible to revoke. <a href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a> does not provide any provision for a different response when the provided `token` has already been revoked, has already expired, or does not exist.

Passing either a `refresh_token` or an `access_token` will revoke the corresponding `refresh_token` and all related `access_token`s.

##### `sub` *(optional)*

Either `token` or `sub` are required.

The `sub` value for the account you wish to revoke.

##### `request_pii_erasure` *(optional)*

A [`Boolean`](/developers/api/data-types/index.md) indicating whether you wish for the authorized data to be removed on a more aggressive timeline, usually within 48 hours, instead of following the [standard Data Retention timeline](/policies/data-management/index.md).

Defaults to `false`.

#### Response parameters
This request has no response body.

#### Error responses
##### 400 Bad Request

Follows the format specified in <a href="https://www.rfc-editor.org/rfc/rfc6749#section-5.2">section 5.2 of RFC 6749</a>, common examples are provided for reference.

###### Invalid Client
Signifies an unrecognized combination of `client_id` and `client_secret`.

```http
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8

{
  "error": "invalid_client"
}
```

This error can be resolved by ensuring your `client_id` and `client_secret` are set correctly. Alternatively, you may ask Cronofy to issue you new client credentials but be aware that this will revoke all existing Access and Refresh Tokens.

##### 422 Unprocessable

###### Token or sub cannot be blank
Both `token` or `sub` are not set or have no value.

```json
{
  "error": "token_or_sub_cannot_be_blank"
}
```



---
[Read in HTML](/developers/api/authorization/revoke/)