Revoking OAuth Tokens

When a user logs out of an app, or the app times out or in other ways becomes invalid, the logged-in users’ credentials are cleared from the mobile app. This effectively ends the connection to the server. Also, Mobile SDK revokes the refresh token from the server as part of logout.

To revoke OAuth 2.0 tokens, use the revocation endpoint.


Construct a POST request that uses the application/x-www-form-urlencoded format in the HTTP request entity-body. For example:

If an access token is included, Salesforce invalidates it and revokes the token. If a refresh token is included, Salesforce revokes it and any associated access tokens.

Salesforce indicates successful processing of the request by returning an HTTP 200 status code. For all error conditions, Salesforce returns a 400 status code along with one of the following error responses.

  • unsupported_token_type—Token type not supported
  • invalid_token—Token was invalid

For a sandbox, use instead of

If you’re not using enhanced domains, your sandbox My Domain URLs are different. You can find your org’s My Domain login URL on the My Domain Setup page.