ExMCP.Plugs.TokenRevocation (ex_mcp v0.9.2)

View Source

Server-side token revocation endpoint (RFC 7009).

This plug handles incoming token revocation requests. When a client sends a POST with a token parameter, the plug calls the configured revocation callback to invalidate the token.

Per RFC 7009, the endpoint always returns 200 OK, even if the token was already invalid or unknown, to prevent token scanning attacks.

Usage

plug ExMCP.Plugs.TokenRevocation,
  revoke_fn: fn token, token_type_hint ->
    MyApp.TokenStore.revoke(token, token_type_hint)
  end

Or with a module callback:

plug ExMCP.Plugs.TokenRevocation,
  revoke_fn: &MyApp.TokenStore.revoke/2

Options

  • :revoke_fn (required) - A function (token, token_type_hint) -> :ok | {:error, term()}. Called to actually revoke the token. token_type_hint may be nil, "access_token", or "refresh_token".

  • :authenticate_client_fn - Optional function (conn) -> {:ok, client_id} | {:error, term()}. If provided, the client is authenticated before processing the revocation.