Revoking Authorization
Required plan: SchedulerYou should revoke your access on behalf of your users rather than directing them to our site, for example when they unsubscribe from your service or no longer want to use your calendar integration features.
Authorization is revoked as specified in RFC 7009, authentication is performed by including your client_id
and client_secret
, as issued by Cronofy, within the body of the request.
As with the rest of the API, all requests can be made with a JSON- or forms-encoded request body, though a JSON-encoded request is recommended. You must specify the Content-Type
header of your requests as either application/json; charset=utf-8
or application/x-www-form-urlencoded
to signal your request body is JSON- or forms-encoded, respectively.
Once revoked, authorization can only be regained by requesting it again.
URL format #
{data_center_url}/oauth/token/revoke
Example Request #
POST /oauth/token/revoke HTTP/1.1
Host: {data_center_url}
Content-Type: application/json; charset=utf-8
{
"client_id": "{CLIENT_ID}",
"client_secret": "{CLIENT_SECRET}",
"sub": "{SUB}"
}
Example Response #
HTTP/1.1 200 OK
Request parameters #
data_center_url required
The URL for the data center you want to communicate with. Possible choices are:
api-au.cronofy.com
- π¦πΊ Australiaapi-ca.cronofy.com
- π¨π¦ Canadaapi-de.cronofy.com
- π©πͺ Germanyapi-sg.cronofy.com
- πΈπ¬ Singaporeapi-uk.cronofy.com
- π¬π§ United Kingdomapi.cronofy.com
- πΊπΈ United States
Find out more about Cronofy's data centers.
client_id required #
The client_id
issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your client_secret
.
client_secret required #
The client_secret
issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your client_id
.
sub optional #
Either token
or sub
are required.
The sub
value for the Organizational Unit you wish to revoke.
token optional #
Either token
or sub
are required. token
will take priority if passed.
Either the refresh_token
or access_token
for the authorization you wish to revoke.
It is recommended that you use the refresh_token
as that cannot have expired and therefore be impossible to revoke. RFC 7009 does not provide any provision for a different response when the provided token
has already been revoked, has already expired, or does not exist.
Passing either a refresh_token
or an access_token
will revoke the corresponding refresh_token
and all related access_token
s.
Response parameters #
This request has no response body.
Error responses #
400 Bad Request #
Follows the format specified in section 5.2 of RFC 6749, common examples are provided for reference.
Invalid Client
Signifies an unrecognized combination of client_id
and client_secret
.
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
{
"error": "invalid_client"
}
This error can be resolved by ensuring your client_id
and client_secret
are set correctly. Alternatively, you may ask Cronofy to issue you new client credentials but be aware that this will revoke all existing Access and Refresh Tokens.