Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This module implements the token revocation endpoint for OAuth 2.0 as outlined by RFC 7009.
After enabling this module, an /oauth/revoke endpoint will be available to
revoke access or refresh tokens previously obtained by the Simple OAuth module.
Revoking a Token
To revoke a token, a POST request can be made to /oauth/revoke.
The body of the request must be in the application/x-www-form-urlencoded format and contain a token parameter set to the token to revoke.
Authorization
The request must be authorized with the client that originally issued the tokens. The client_id and client_secret can be provided in the request body or via Basic authentication.
Alternatively, a bearer token may be used to authorize the request.
Example
curl --location 'https://example.com/oauth/revoke' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=<access or refresh token>' \ --data-urlencode 'client_id=<client id>' \ --data-urlencode 'client_secret=<client secret>'
For more details, see the RFC 7009 specification.
Supporting organizations:
Project information
Minimally maintained
Maintainers monitor issues, but fast responses are not guaranteed.- Project categories: Access control
- Ecosystem: Simple OAuth (OAuth2) & OpenID Connect
148 sites report using this module- Created by bbeversdorf on , updated
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
3.0.0
released 22 August 2025
released 22 August 2025
Works with Drupal: ^10 || ^11
Supports Drupal 11 and simple_oauth 6.x
Install:
