OAuth 2.0 Token Revocation

This section contains the generic implementation of RFC7009.

Revocation Endpoint

class authlib.specs.rfc7009.RevocationEndpoint(uri, params, headers, client_model)

Implementation of revocation endpoint which is described in RFC7009.

  • uri – HTTP request URI string.
  • params – HTTP query or payload parameters.
  • headers – HTTP request headers dict.
  • client_model – A model class that implemented the methods described by ClientMixin.

Validate requested client with Basic Authorization. Developers can re-implement this method for other authenticate means.


The client constructs the request by including the following parameters using the “application/x-www-form-urlencoded” format in the HTTP request entity-body:

REQUIRED. The token that the client wants to get revoked.
OPTIONAL. A hint about the type of the token submitted for revocation.

Validate revocation request and create the response for revocation.

Returns:(status_code, body, headers)
query_token(token, token_type_hint, client)

Get the token from database/storage by the given token string. Developers should implement this method:

def query_token(self, token, token_type_hint, client):
    if token_type_hint == 'access_token':
        return Token.query_by_access_token(token, client.client_id)
    if token_type_hint == 'refresh_token':
        return Token.query_by_refresh_token(token, client.client_id)
    return Token.query_by_access_token(token, client.client_id) or                     Token.query_by_refresh_token(token, client.client_id)

Delete token from database/storage. Developers should implement this method:

def invalidate_token(self, token):