Revoke tokens

Users can revoke access tokens at any time by removing trusted organization permissions from their personal account settings. You may find it advantageous to revoke a token pair that has been generated by your client using the ORCID API. The ORCID API permits token revocation, and is based on the IETF OAuth 2.0 Token Revocation standard proposal (IETF RFC 7009).

Use your client ID, secret, and either the active token or its associated refresh token to revoke the token pair. You can revoke token pairs created in both the two-step and three-step OAuth processes. If you have multiple sets of tokens, e.g. for different scopes, only the specified access token and corresponding refresh token will be revoked.

We suggest revoking tokens in the following conditions:

  • To revoke tokens issued to a third-party supplier after the termination of a relationship;
  • To revoke tokens when users disconnect their ORCID iD from your system;
  • To allow users to revoke tokens from within your system.

We recommend using the refresh tokens workflow to limit the scope or duration of an existing access token or update a token if it has been compromised.

Format for revocation

  https://sandbox.orcid.org/oauth/revoke (or https://orcid.org/oauth/revoke)
  METHOD: POST
  HEADER: accept:application/json
  DATA: 
    client_id=[Your client ID]
    client_secret=[Your client secret]
    token=[access token or refresh token for token pair to be revoked]

Example revocation calls

Original token response

{"access_token":"4ec62207-1d93-4396-9c24-8294893a791d","token_type":"bearer","refresh_token":"55ad9d2f-c392-4e1d-b55b-2fa74a964817","expires_in":631138518,"scope":"/read-limited /activities/update /person/update","name":"Sofia Garcia","orcid":"0000-0001-2345-6789"}

Call to revoke a token pair using the access token

curl -i -L -H "Accept: application/json" --data "client_id=APP-NPXKK6HFN6TJ4YYI&client_secret=060c36f2-cce2-4f74-bde0-a17d8bb30a97&token=4ec62207-1d93-4396-9c24-8294893a791d" "https://sandbox.orcid.org/oauth/revoke"

Response

HTTP/1.1 200 OK

Example call to revoke a token pair using the refresh token

curl -i -L -H "Accept: application/json" --data "client_id=APP-NPXKK6HFN6TJ4YYI&client_secret=060c36f2-cce2-4f74-bde0-a17d8bb30a97&token=55ad9d2f-c392-4e1d-b55b-2fa74a964817" "https://sandbox.orcid.org/oauth/revoke"

Response

HTTP/1.1 200 OK