Skip to main content
Call Kit’s OAuth token revocation endpoint when a creator disconnects your app from your side, or when you otherwise need to invalidate the credentials Kit issued you. This endpoint follows RFC 7009 (OAuth 2.0 Token Revocation). After a successful revoke, Kit will:
  • Mark the access token (and any associated refresh token) as revoked.
  • Disable the matching plugin authorization for that creator on Kit’s side.
  • Asynchronously clear any partner credentials Kit holds for that creator on your behalf.
This keeps the connection state in sync on both ends, so your app doesn’t end up with stale tokens after a creator disconnects from your side.

Endpoint

POST https://api.kit.com/v4/oauth/revoke

Request

Content-Type: application/x-www-form-urlencoded
token
string
required
The Kit-issued token to revoke. Both access tokens and refresh tokens are accepted.
client_id
string
required
Your app’s Client ID.
client_secret
string
required
Your app’s Client Secret.
token_type_hint
string
Optional hint at the token type, one of access_token or refresh_token. Speeds up the lookup. If the hint is wrong, Kit falls back to checking the other type.
    curl -X POST https://api.kit.com/v4/oauth/revoke \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Accept: application/json' \
        -d 'token=YOUR_ACCESS_TOKEN_HERE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'

Response

200 OK on success, with an empty response body.
Per RFC 7009 §2.2, the endpoint also responds with 200 OK if the token is unknown, already revoked, or expired. This is intentional and prevents token enumeration. Treat a 200 response as “the token is no longer valid”, regardless of whether it was valid before the call.