Skip to main content
Version: 4.x

Revoke token

Revoking a token immediately invalidates it - any subsequent request using that token will be rejected. Call this endpoint when a user logs out or when you need to terminate a specific session (e.g., after a password change or suspicious activity).

note

Once a token is revoked, it cannot be un-revoked. The user must authenticate again to obtain a new token.

API Reference

Explore and test this endpoint using the interactive API reference →

Endpoint

METHOD: POST

ENDPOINT: /simple-jwt-login/v1/auth/revoke

URL Example: https://{{yoursite}}/?rest_route=/simple-jwt-login/v1/auth/revoke&JWT={{YOUR_JWT}}

PARAMETERS:

ParameterTypeDescription
JWTrequired stringYour JWT. Can alternatively be passed as Authorization: Bearer <token>.
AUTH_KEYoptional stringAuth Code value. Required only if "Require Authentication Code" is enabled. The parameter name matches the Auth Code URL Key in Auth Codes settings (default: AUTH_KEY).

Request

{
"JWT": "YOUR_JWT_HERE"
}

With optional Auth Code:

{
"JWT": "YOUR_JWT_HERE",
"AUTH_KEY": "MySecretAuthCode"
}

Responses

200

{
"success": true,
"data": {
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}
}

400

Bad request - the JWT field is missing from the request body.

{
"success": false,
"data": {
"message": "JWT is missing.",
"errorCode": 42
}
}

401

Unauthorized - JWT is structurally invalid, has a bad signature, or the auth code is wrong.

{
"success": false,
"data": {
"message": "JWT signature verification failed.",
"errorCode": 11
}
}

403

Forbidden - token revocation is disabled in plugin settings.

{
"success": false,
"data": {
"message": "Revoke token is not enabled.",
"errorCode": 83
}
}

500

Internal server error.

{
"success": false,
"data": {
"message": "An unexpected error occurred.",
"errorCode": 22
}
}

Examples

SHELL

curl -X POST https://simplejwtlogin.com/?rest_route=/simple-jwt-login/v1/auth/revoke \
-H "Content-type: application/json" \
-d '{"JWT":"YOUR_JWT"}'

PHP

$simpleJwtLogin = new \SimpleJwtLoginClient\SimpleJwtLoginClient(
'https://simplejwtlogin.com',
'/simple-jwt-login/v1'
);
$result = $simpleJwtLogin->revokeToken('Your JWT here', 'AUTH CODE');

JavaScript

fetch('https://simplejwtlogin.com/wp-json/simple-jwt-login/v1/auth/revoke', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ JWT: 'YOUR_JWT_HERE' })
}).then(r => r.json()).then(console.log);

Error responses

CodeMeaning
42JWT is missing from the request.
83The revoke-token feature is disabled in plugin settings.

JWT decoding errors (1-22) may also appear when the supplied token cannot be parsed or its signature is invalid.


Settings

Configure under Settings → Simple JWT Login → Revoke Token.

Allow Revoke Token Endpoint

Allow Revoke Token Endpoint

Enable or disable the revoke token endpoint. When disabled, all POST requests to /auth/revoke return a 403 error. When enabled, clients can invalidate a JWT for all future requests.

Require Authentication Code

Require Authentication Code

When enabled, an additional Auth Code must be provided alongside the JWT to use the revoke endpoint. The parameter name is the Auth Code URL Key from Auth Codes settings (default: AUTH_KEY). Configure the codes themselves in the Auth Codes tab.