HTTP API: Revoking Webtask Tokens

Revoked webtask tokens can no longer be used

For customized documentation and ready to run samples, please log in.

A webtask token can be revoked in order to prevent its future use to execute webtasks. When a webtask token is revoked, all webtask tokens directly or indirectly issued using it are also revoked. Revocation cannot be undone.

To revoke a webtask token, send an HTTP POST request to /api/tokens/revoke. The request must specify the webtask token to revoke through the token URL query paramater, or a token paramater in the application/json or application/x-www-urlformencoded request body. Furthermore, the HTTP POST must be authenticated with a webtask token granting sufficient permissions to revoke the specified token:

curl https://webtask.it.auth0.com/api/tokens/revoke \
  -H "Authorization: Bearer {authenticating_webtask_token}" \
  --data "token={webtask_token_to_revoke}"  

The following authorization rules apply for the revocation request:

  • The {authenticating_webtask_token} can be the same as {webtask_token_to_revoke} if the token does not specify the dr=1 claim. That means, a webtask token can revoke itself unless explicitly prevented from doing so at the time of its issuance.
  • The {authenticating_webtask_token} can be any of the ancestors in the issuance chain of the {webtask_token_to_revoke}. This means any of the ancestors of a webtask token can be used to revoke it.

The response of the API may be as follows:


the token has been successful revoked.


request is malformed; token has not been revoked.


the {authenticating_webtask_token} does not grant sufficient permissions to revoke the {webtask_token_to_revoke}; token has not been revoked.


internal error; token has not been revoked.

NOTE revoked tokens may still be accepted for a short time after revocation (by default 2 minutes) due to caching of revocation status in the webtask runtime.