POST /auth/api/revoke
Invalidate tokens. Either a single token (by jti) or every live
token for the client account.
Accepts an already-expired access token. Omitting jti revokes every
live token for the account.
Use case
Suspected token leak: call with no body to kill everything, then re-issue via API key from a trusted host.
Headers
| Header | Required | Description |
|---|---|---|
Authorization | yes | Bearer <accessToken> — expired tokens are accepted here. |
Body
| Field | Type | Required | Description |
|---|---|---|---|
jti | string | no | Specific token id to revoke. Omit to revoke all tokens for the caller. |
Response
204 No Content on success.
Errors
| Status | Meaning |
|---|---|
401 | Missing / malformed access token. |
404 | jti specified but not found for this client. |
Examples
Revoke everything (after a suspected leak):
curl -X POST "$BASE_URL/auth/api/revoke" \
-H "Authorization: Bearer $ACCESS"
Revoke a single token by jti:
curl -X POST "$BASE_URL/auth/api/revoke" \
-H "Authorization: Bearer $ACCESS" \
-H "Content-Type: application/json" \
-d '{ "jti": "b2c3…" }'