Token revocations
Does deleting a user also revoke all their active tokens? The documentation suggests the API rejects requests for deleted users—does this inherently invalidate their tokens?
Is there a way to revoke all active tokens across all clients in the project?
Is it possible to verify whether a token has been revoked without using the client—for example, via a curl request?
This always returns
curl -X POST --location "https://mydomain.com/oauth/v2/introspect" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'client_assertion=eyJhbGciOi...&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMxNjkwNTk2NjIyNDI3NzUwNiIsInR5cCI6IkpXVCJ9.eyJhbXIiOlsicHdkIl0sImF0X2hhc2giOiJFOVNyMHMzemF3d0EtRXZlYWVqbUlnIiwiYXVkIjpbIjMxNTc0NTc3NDc0NDk2MTAyOCIsIjMxNTc0NTc3NDc5NTI5MjY3NiIsIjMxNTc0NTc3NDEwNzM2MTI4NCJdLCJhdXRoX3RpbWUiOjE3NDUzODY4NDEsImF6cCI6IjMxNTc0NTc3NDc0NDk2MTAyOCIsImNsaWVudF9pZCI6IjMxNTc0NTc3NDc0NDk2MTAyOCIsImVtYWlsIjoid0B3LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE3NDU0MzAwNDUsImZhbWlseV9uYW1lIjoidyIsImdpdmVuX25hbWUiOiJ3IiwiaWF0IjoxNzQ1Mzg2ODQ1LCJpc3MiOiJodHRwczovL2xvZ2luLnNtaW5vLm5ldCIsImxvY2FsZSI6ImRlIiwibmFtZSI6IncgdyIsIm5vbmNlIjoiVkhaVlIzYzVURzFyV0ZVemVrRnZUMmxPYW5aM2RuVXdjSHBRYlUxQlQwRTNZVXBOYkdVMWNFOXBjRGR1IiwicHJlZmVycmVkX3VzZXJuYW1lIjoid0B3LmNvbSIsInNpZCI6IlYxXzMxNjkwNjI0NTQzMDcwNjE3OCIsInNtaW5vOmNyZWF0ZWRBdCI6IjIwMjUtMDQtMjNUMDU6Mzk6MTkiLCJzdWIiOiJjZjY2YWUzN2QwZDJjNzM1NGZmMzA4ZGQ4MjI5MzE3MSIsInVwZGF0ZWRfYXQiOjE3NDUzODY3NjAsInVzZXJJZCI6ImNmNjZhZTM3ZDBkMmM3MzU0ZmYzMDhkZDgyMjkzMTcxIn0.Rp9SRp4daAghgrhhyvxIFnTXnXkMUez9WBCglr0D4MbpFz9SU4126e9X3CtcS7K5jy5OBWVpEgdB4rqLBS9YYPEHir2QXVSALDHlxr2thWGYimkmQ78l0MGfI8Jw4zthCxc0J3CjrhO3m8k4eGUFQrPk70RPjkJ-IlgbBS-hJwd5WBpzyb0WSVMglR9y1fH2St9cPie9fOfvQnbyORGFEx8aeZ7jHHh3dLJ5UUQP29EXOKBEuEJyV9m1_hPKypgjGY68faIbZVmvauoryMGPm-i8KyPkeIDsbY7CIQYEWcRUzXgs8Ns1k_OSn3Lbgmob7S3Shfqlt7tjXO94QmqBLQ'
Is there a way to revoke all active tokens across all clients in the project?
Is it possible to verify whether a token has been revoked without using the client—for example, via a curl request?
This always returns
{active: false}curl -X POST --location "https://mydomain.com/oauth/v2/introspect" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'client_assertion=eyJhbGciOi...&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMxNjkwNTk2NjIyNDI3NzUwNiIsInR5cCI6IkpXVCJ9.eyJhbXIiOlsicHdkIl0sImF0X2hhc2giOiJFOVNyMHMzemF3d0EtRXZlYWVqbUlnIiwiYXVkIjpbIjMxNTc0NTc3NDc0NDk2MTAyOCIsIjMxNTc0NTc3NDc5NTI5MjY3NiIsIjMxNTc0NTc3NDEwNzM2MTI4NCJdLCJhdXRoX3RpbWUiOjE3NDUzODY4NDEsImF6cCI6IjMxNTc0NTc3NDc0NDk2MTAyOCIsImNsaWVudF9pZCI6IjMxNTc0NTc3NDc0NDk2MTAyOCIsImVtYWlsIjoid0B3LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE3NDU0MzAwNDUsImZhbWlseV9uYW1lIjoidyIsImdpdmVuX25hbWUiOiJ3IiwiaWF0IjoxNzQ1Mzg2ODQ1LCJpc3MiOiJodHRwczovL2xvZ2luLnNtaW5vLm5ldCIsImxvY2FsZSI6ImRlIiwibmFtZSI6IncgdyIsIm5vbmNlIjoiVkhaVlIzYzVURzFyV0ZVemVrRnZUMmxPYW5aM2RuVXdjSHBRYlUxQlQwRTNZVXBOYkdVMWNFOXBjRGR1IiwicHJlZmVycmVkX3VzZXJuYW1lIjoid0B3LmNvbSIsInNpZCI6IlYxXzMxNjkwNjI0NTQzMDcwNjE3OCIsInNtaW5vOmNyZWF0ZWRBdCI6IjIwMjUtMDQtMjNUMDU6Mzk6MTkiLCJzdWIiOiJjZjY2YWUzN2QwZDJjNzM1NGZmMzA4ZGQ4MjI5MzE3MSIsInVwZGF0ZWRfYXQiOjE3NDUzODY3NjAsInVzZXJJZCI6ImNmNjZhZTM3ZDBkMmM3MzU0ZmYzMDhkZDgyMjkzMTcxIn0.Rp9SRp4daAghgrhhyvxIFnTXnXkMUez9WBCglr0D4MbpFz9SU4126e9X3CtcS7K5jy5OBWVpEgdB4rqLBS9YYPEHir2QXVSALDHlxr2thWGYimkmQ78l0MGfI8Jw4zthCxc0J3CjrhO3m8k4eGUFQrPk70RPjkJ-IlgbBS-hJwd5WBpzyb0WSVMglR9y1fH2St9cPie9fOfvQnbyORGFEx8aeZ7jHHh3dLJ5UUQP29EXOKBEuEJyV9m1_hPKypgjGY68faIbZVmvauoryMGPm-i8KyPkeIDsbY7CIQYEWcRUzXgs8Ns1k_OSn3Lbgmob7S3Shfqlt7tjXO94QmqBLQ'
