Token Revocation
Endpoint
Section titled “Endpoint”POST https://auth.beshoy.ai/oauth/revokeContent-Type: application/jsonRequest Body
Section titled “Request Body”| Field | Type | Required | Description |
|---|---|---|---|
token | string | Yes | The refresh token to revoke |
client_id | string | Yes | Project ID that owns the token |
Example Request
Section titled “Example Request”curl -X POST https://auth.beshoy.ai/oauth/revoke \ -H "Content-Type: application/json" \ -d '{ "token": "a1b2c3d4e5f6...", "client_id": "proj_gym" }'Response
Section titled “Response”Always returns 200 OK regardless of whether the token existed:
{ "ok": true}This is intentional — revocation is idempotent and doesn’t leak information about token validity.
Behavior
Section titled “Behavior”- If the token exists and belongs to the specified project, it’s revoked
- If the token doesn’t exist or belongs to a different project, the request is a no-op
- Revoked tokens respect the 60-second grace period for in-flight requests
- After the grace period, the token is permanently rejected
Bulk Revocation
Section titled “Bulk Revocation”For revoking all sessions or multiple sessions at once, use the Admin Sessions API:
POST /admin/projects/:id/sessions/revoke-all— revoke all project sessionsPOST /admin/projects/:id/sessions/revoke-many— revoke up to 100 specific sessions
Access Token Invalidation
Section titled “Access Token Invalidation”Access tokens cannot be revoked — they’re stateless JWTs verified locally. They remain valid until their 5-minute expiry. To immediately block a user:
- Revoke their refresh token (prevents new access tokens)
- Set their status to “blocked” in
project_users(prevents refresh) - Wait up to 5 minutes for the current access token to expire
For the gym app, the proxy also checks the status claim on every request, so blocking takes effect immediately for requests going through the proxy.