HTTP API: Revoking Webtask Tokens

Revoked webtask tokens can no longer be used

For customized documentation and ready to run samples, please log in.

The HTTP API is deprecated for public usage and access will be removed soon.

A webtask token can be revoked in order to prevent its future use to execute webtasks. When a webtask token is revoked, all webtask tokens directly or indirectly issued using it are also revoked. Revocation cannot be undone.

To revoke a webtask token, send an HTTP POST request to /api/tokens/revoke. The request must specify the webtask token to revoke through the token URL query paramater, or a token paramater in the application/json or application/x-www-urlformencoded request body. Furthermore, the HTTP POST must be authenticated with a webtask token granting sufficient permissions to revoke the specified token:

curl https://sandbox.auth0-extend.com/api/tokens/revoke \
  -H "Authorization: Bearer {authenticating_webtask_token}" \
  --data "token={webtask_token_to_revoke}"  

The following authorization rules apply for the revocation request:

  • The {authenticating_webtask_token} can be the same as {webtask_token_to_revoke} if the token does not specify the dr=1 claim. That means, a webtask token can revoke itself unless explicitly prevented from doing so at the time of its issuance.
  • The {authenticating_webtask_token} can be any of the ancestors in the issuance chain of the {webtask_token_to_revoke}. This means any of the ancestors of a webtask token can be used to revoke it.

The response of the API may be as follows:


the token has been successful revoked.


request is malformed; token has not been revoked.


the {authenticating_webtask_token} does not grant sufficient permissions to revoke the {webtask_token_to_revoke}; token has not been revoked.


internal error; token has not been revoked.

NOTE revoked tokens may still be accepted for a short time after revocation (by default 2 minutes) due to caching of revocation status in the webtask runtime.