> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fyatu.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Revoke Token

> Revoke an active Fyatu API access token to invalidate a session. POST /auth/revoke.

## Overview

Invalidate an access token before it naturally expires. Use this when:

* User logs out of your application
* You detect suspicious activity
* Credentials may have been compromised
* Token is no longer needed

## When to Revoke Tokens

<AccordionGroup>
  <Accordion title="User Logout">
    When a user explicitly logs out, revoke their token to prevent unauthorized access.

    ```javascript theme={null}
    async function logout() {
      await fetch('https://api.fyatu.com/api/v3/auth/revoke', {
        method: 'POST',
        headers: { 'Authorization': `Bearer ${currentToken}` }
      });
      localStorage.removeItem('fyatu_token');
    }
    ```
  </Accordion>

  <Accordion title="Security Incident">
    If you suspect a token has been compromised, revoke it immediately.

    ```javascript theme={null}
    async function handleSecurityIncident(compromisedToken) {
      await fetch('https://api.fyatu.com/api/v3/auth/revoke', {
        method: 'POST',
        headers: { 'Authorization': `Bearer ${compromisedToken}` }
      });
      // Get a fresh token with new credentials
    }
    ```
  </Accordion>

  <Accordion title="Credential Rotation">
    When rotating API credentials, revoke existing tokens first.
  </Accordion>
</AccordionGroup>

## Error Codes

| Code                 | Description                           |
| -------------------- | ------------------------------------- |
| `AUTH_TOKEN_MISSING` | No Authorization header provided      |
| `AUTH_TOKEN_INVALID` | Token is malformed or already expired |

<Warning>
  Once a token is revoked, it cannot be used for any API requests. Any in-flight requests using the revoked token may fail.
</Warning>

<Tip>
  After revoking a token, immediately clear it from your application's storage to prevent accidental reuse.
</Tip>


## OpenAPI

````yaml v3/openapi.json POST /auth/revoke
openapi: 3.1.0
info:
  title: FYATU API v3
  description: >-
    FYATU API v3 with JWT authentication for Collections, Payouts, and Card
    Issuing.
  version: 3.0.0
  contact:
    name: FYATU Support
    url: https://fyatu.com
    email: support@fyatu.com
servers:
  - url: https://api.fyatu.com/api/v3
    description: Production
security: []
tags:
  - name: Authentication
    description: JWT token management endpoints
  - name: Account
    description: Business account, wallet, and address management
  - name: Collections
    description: Accept payments from customers via checkout sessions
  - name: Refunds
    description: Issue refunds for completed collections
  - name: Payouts
    description: Send money to Fyatu account holders
  - name: Cardholders
    description: Cardholder management for card issuing programs
  - name: Cards
    description: Issue, fund, freeze, and manage virtual cards
  - name: Webhooks
    description: Webhook configuration and management
paths:
  /auth/revoke:
    post:
      tags:
        - Authentication
      summary: Revoke Access Token
      description: >-
        Invalidate an access token before its natural expiry. Use this for
        logout or when credentials may be compromised.
      operationId: revokeToken
      responses:
        '200':
          description: Token revoked successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RevokeResponse'
              example:
                success: true
                status: 200
                message: Token revoked successfully
                data:
                  revoked: true
                meta:
                  requestId: req_abc123def456
                  timestamp: '2026-01-05T10:30:00+00:00'
        '401':
          description: Invalid or expired token
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                success: false
                status: 401
                message: Invalid or expired token
                error:
                  code: AUTH_TOKEN_INVALID
                meta:
                  requestId: req_abc123def456
                  timestamp: '2026-01-05T10:30:00+00:00'
      security:
        - BearerAuth: []
components:
  schemas:
    RevokeResponse:
      type: object
      properties:
        success:
          type: boolean
          example: true
        status:
          type: integer
          example: 200
        message:
          type: string
          example: Token revoked successfully
        data:
          $ref: '#/components/schemas/RevokeData'
        meta:
          $ref: '#/components/schemas/Meta'
    ErrorResponse:
      type: object
      properties:
        success:
          type: boolean
          example: false
        status:
          type: integer
          example: 401
        message:
          type: string
          example: Invalid credentials
        error:
          $ref: '#/components/schemas/Error'
        meta:
          $ref: '#/components/schemas/Meta'
    RevokeData:
      type: object
      properties:
        revoked:
          type: boolean
          description: Whether the token was successfully revoked
          example: true
    Meta:
      type: object
      properties:
        requestId:
          type: string
          description: Unique request ID for tracking
          example: req_abc123def456
        timestamp:
          type: string
          format: date-time
          description: ISO 8601 timestamp of the response
    Error:
      type: object
      properties:
        code:
          type: string
          description: Error code for programmatic handling
          example: AUTH_INVALID_CREDENTIALS
        details:
          type: array
          items:
            $ref: '#/components/schemas/ValidationError'
          description: Validation error details (for VALIDATION_ERROR)
    ValidationError:
      type: object
      properties:
        field:
          type: string
          description: Field that failed validation
          example: appId
        message:
          type: string
          description: Validation error message
          example: AppId is required
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: JWT access token obtained from /auth/token

````