# Revoking Authorization

You should revoke your access on behalf of your users rather than directing them to our site, for example when they unsubscribe from your service or no longer want to use your calendar integration features.

Authorization is revoked as specified in <a href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a>, authentication is performed by including your `client_id` and `client_secret`, as issued by Cronofy, within the body of the request.

As with the rest of the API, all requests can be made with a <a href="http://json.org/">JSON-</a> or forms-encoded request body, though a JSON-encoded request is recommended. You must specify the `Content-Type` header of your requests as either `application/json; charset=utf-8` or `application/x-www-form-urlencoded` to signal your request body is JSON- or forms-encoded, respectively.

Once revoked, authorization can only be regained by [requesting it again](/developers/api/authorization/request-authorization/index.md).

#### URL format
```
{data_center_url}/oauth/token/revoke
```

#### Example Request
```http
POST /oauth/token/revoke HTTP/1.1
Host: {data_center_url}
Content-Type: application/json; charset=utf-8

{
  "client_id": "{CLIENT_ID}",
  "client_secret": "{CLIENT_SECRET}",
  "sub": "{SUB}"
}
```

#### Example Response
```http
HTTP/1.1 200 OK
```

#### Request parameters
##### `data_center_url` *(required)*

The URL for the data center you want to communicate with. Possible choices are:

- `api-au.cronofy.com` - Australia
- `api-ca.cronofy.com` - Canada
- `api-de.cronofy.com` - Germany
- `api-sg.cronofy.com` - Singapore
- `api-uk.cronofy.com` - United Kingdom
- `api.cronofy.com` - United States

Find out more about [Cronofy's data centers](/developers/data-centers/index.md).
##### `client_id` *(required)*

The `client_id` issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your `client_secret`.

##### `client_secret` *(required)*

The `client_secret` issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client along with your `client_id`.

##### `sub` *(optional)*

Either `token` or `sub` are required.

The `sub` value for the Organizational Unit you wish to revoke.

##### `token` *(optional)*

Either `token` or `sub` are required. `token` will take priority if passed.

Either the `refresh_token` or `access_token` for the authorization you wish to revoke.

It is recommended that you use the `refresh_token` as that cannot have expired and therefore be impossible to revoke. <a href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a> does not provide any provision for a different response when the provided `token` has already been revoked, has already expired, or does not exist.

Passing either a `refresh_token` or an `access_token` will revoke the corresponding `refresh_token` and all related `access_token`s.

#### Response parameters
This request has no response body.

#### Error responses
##### 400 Bad Request

Follows the format specified in <a href="https://www.rfc-editor.org/rfc/rfc6749#section-5.2">section 5.2 of RFC 6749</a>, common examples are provided for reference.

###### Invalid Client
Signifies an unrecognized combination of `client_id` and `client_secret`.

```http
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8

{
  "error": "invalid_client"
}
```

This error can be resolved by ensuring your `client_id` and `client_secret` are set correctly. Alternatively, you may ask Cronofy to issue you new client credentials but be aware that this will revoke all existing Access and Refresh Tokens.



---
[Read in HTML](/developers/api/organization-connect/revoke/)