Use your client ID, secret, and either the active token or its associated refresh token to revoke the token pair. You can revoke token pairs created in both the two-legged and three-legged OAuth processes. If you have multiple sets of tokens, e.g. for different scopes, only the specified access token and corresponding refresh token will be revoked.
We suggest revoking tokens in the following conditions:
- To revoke tokens issued to a third-party supplier after the termination of a relationship;
- To revoke tokens when users disconnect their ORCID iD from your system;
- To allow users to revoke tokens from within your system.
We recommend using the refresh tokens to limit the scope or duration of an existing access token or update a token if it has been compromised.
The revoke API call
https://sandbox.orcid.org/oauth/revoke (or https://orcid.org/oauth/revoke) METHOD: POST HEADER: accept:application/json CONTENT-TYPE: application/x-www-form-urlencoded DATA: client_id=[Your client ID] client_secret=[Your client secret] token=[access token or refresh token for token pair to be revoked]