> ## Documentation Index
> Fetch the complete documentation index at: https://developers.kit.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth token revocation

Call Kit's OAuth token revocation endpoint when a creator disconnects your app from your side, or when you otherwise need to invalidate the credentials Kit issued you. This endpoint follows [RFC 7009 (OAuth 2.0 Token Revocation)](https://datatracker.ietf.org/doc/html/rfc7009).

After a successful revoke, Kit will:

* Mark the access token (and any associated refresh token) as revoked.
* Disable the matching plugin authorization for that creator on Kit's side.
* Asynchronously clear any partner credentials Kit holds for that creator on your behalf.

This keeps the connection state in sync on both ends, so your app doesn't end up with stale tokens after a creator disconnects from your side.

## Endpoint

```
POST https://api.kit.com/v4/oauth/revoke
```

## Request

`Content-Type: application/x-www-form-urlencoded`

<AccordionGroup>
  <Accordion title="Body parameters">
    <ResponseField name="token" type="string" required={true}>
      The Kit-issued token to revoke. Both access tokens and refresh tokens are accepted.
    </ResponseField>

    <ResponseField name="client_id" type="string" required={true}>
      Your app's Client ID.
    </ResponseField>

    <ResponseField name="client_secret" type="string" required={true}>
      Your app's Client Secret.
    </ResponseField>

    <ResponseField name="token_type_hint" type="string" required={false}>
      Optional hint at the token type, one of `access_token` or `refresh_token`. Speeds up the lookup. If the hint is wrong, Kit falls back to checking the other type.
    </ResponseField>
  </Accordion>

  <Accordion title="Code samples">
    <CodeGroup>
      ```shell shell theme={null}
          curl -X POST https://api.kit.com/v4/oauth/revoke \
              -H 'Content-Type: application/x-www-form-urlencoded' \
              -H 'Accept: application/json' \
              -d 'token=YOUR_ACCESS_TOKEN_HERE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'
      ```

      ```javascript Javascript theme={null}
          const headers = {
              'Content-Type': 'application/x-www-form-urlencoded',
              'Accept': 'application/json'
          };
          const inputBody = new URLSearchParams({
              token: 'YOUR_ACCESS_TOKEN_HERE',
              client_id: 'YOUR_CLIENT_ID',
              client_secret: 'YOUR_CLIENT_SECRET'
          }).toString();

          fetch('https://api.kit.com/v4/oauth/revoke', {
              method: 'POST',
              body: inputBody,
              headers: headers
          })
          .then(function(res) {
              console.log(res.status);
          });
      ```

      ```ruby Ruby theme={null}
          require 'rest-client'

          headers = {
              'Content-Type' => 'application/x-www-form-urlencoded',
              'Accept' => 'application/json'
          }
          payload = {
              'token' => 'YOUR_ACCESS_TOKEN_HERE',
              'client_id' => 'YOUR_CLIENT_ID',
              'client_secret' => 'YOUR_CLIENT_SECRET'
          }

          RestClient.post 'https://api.kit.com/v4/oauth/revoke', payload, headers
      ```

      ```python Python theme={null}
          import requests

          headers = {
              'Content-Type': 'application/x-www-form-urlencoded',
              'Accept': 'application/json'
          }
          data = {
              'token': 'YOUR_ACCESS_TOKEN_HERE',
              'client_id': 'YOUR_CLIENT_ID',
              'client_secret': 'YOUR_CLIENT_SECRET'
          }

          r = requests.post('https://api.kit.com/v4/oauth/revoke', headers=headers, data=data)

          print(r.status_code)
      ```
    </CodeGroup>
  </Accordion>
</AccordionGroup>

## Response

**200 OK** on success, with an empty response body.

<Note>
  Per [RFC 7009 §2.2](https://datatracker.ietf.org/doc/html/rfc7009#section-2.2), the endpoint also responds with `200 OK` if the token is unknown, already revoked, or expired. This is intentional and prevents token enumeration. Treat a `200` response as "the token is no longer valid", regardless of whether it was valid before the call.
</Note>