Skip to content
POLST Developer Docs

Revoke a refresh token family (idempotent).

POST
/auth/token/revoke

Revokes the entire refresh-token family associated with the submitted token. Idempotent: an unknown or already-revoked token returns success: true with no error — this prevents leaking whether a particular token ever existed.

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Header Parameters

Section titled “Header Parameters ”
X-API-Key-ID
required
string
>= 1 characters

Trusted App API key id (format pol_tai_<24 base64url>).

X-API-Key-Secret
required
string
>= 1 characters

Trusted App API key secret (64 hex). Never logged, never echoed.

Request Body required

Section titled “Request Body required ”
object
refreshToken
required
string
>= 1 characters

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Family revoked (or token unknown — idempotent success).

object
success
required
boolean

400

Section titled “400 ”

Validation error.

object
error
required
object
code
required
string
message
required
string
details
Any of:
object
key
additional properties

401

Section titled “401 ”

Invalid API key credentials.

object
error
required
object
code
required
string
message
required
string
details
Any of:
object
key
additional properties

429

Section titled “429 ”

Rate limit exceeded.

object
error
required
object
code
required
string
message
required
string
details
Any of:
object
key
additional properties