Revoke Access-Token

If you want to revoke a specific access-token (thus disabling the integration and preventing your customer from using it), you do as follows:

  • Do a POST-request using the following endpoint: https://api.fortnox.se/oauth-v1/revoke
  • As headers you use
    Key Value
    Content-Type application/x-www-form-urlencoded
    Authorization Basic {Base64 encode client-id:client-secret}

    If you use for example Postman, the Bulk-edit of the headers should look like:
    Content-Type:application/x-www-form-urlencoded
    Authorization:Basic SjU5WTcySjE4Z0Q6UnVaQVQ2ZTlj

  • The value of the “Authorization”-key shall be “Basic” followed by the information you get when you Base64 encode “client-id:client-secret”. Note that you shall include “:” when you encode the information.
  • As body you use
    Key Value
    token {Access-Token to revoke}

    If you use for example Postman, the Bulk-edit of the body should look like:
    token:09d8e971-bf24-42ba-ac09-019aaa3d7297

  • If everything goes as intended, you shall get:
    • 200 HTTP-response
    • Body: {“revoked”:true}
  • Read more at: https://tools.ietf.org/html/rfc7009#section-2