# Revoke a Refresh Token in OAuth2

When using refresh tokens in OAuth2, it's important to have a proper revocation mechanism in place—especially when users log out or when a token is suspected to be compromised.

The OAuth2 specification defines a **revocation endpoint** that clients can call to explicitly invalidate a token, preventing it from being used again.

## How it works

To revoke a refresh token, your application should send a POST request to the authorization server’s revocation endpoint.

You need to include:

- The `token` you want to revoke
- The `token_type_hint` (optional but recommended)
- Client authentication (usually using `client_id` and `client_secret`)

Here’s how to do it in code:

```ts
await fetch(new URL("/revoke", issuer), {
  method: "POST",
  headers: {
    Authorization: `Basic ${btoa(clientId + ":" + clientSecret)}`,
    "Content-Type": "application/x-www-form-urlencoded",
  },
  body: new URLSearchParams({
    token: refreshToken,
    token_type_hint: "refresh_token",
  }),
});
```

This will invalidate the refresh token so it can no longer be used to obtain new access tokens.

Keep in mind that some providers also allow revoking access tokens the same way—just change the `token_type_hint` to `"access_token"`.

---

Want to master secure OAuth2 flows in React Router apps?

📘 My book *React Router OAuth2 Handbook* is now available!

It covers everything from the basics to advanced topics like PKCE, refresh tokens, and E2E auth testing.

→ [books.sergiodxa.com/release](https://go.sergiodxa.com/x6EE88z)