api
auth_error
ai_generated
partial
OAuth2 error: invalid_token_type_hint
ID: api/oauth2-invalid-token-type-hint
80%Fix Rate
84%Confidence
1Evidence
2024-01-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| OAuth 2.0 RFC 7009 | active | — | — | — |
| Keycloak 23.0.0 | active | — | — | — |
| Auth0 (2024) | active | — | — | — |
| Okta 2024.01.0 | active | — | — | — |
Root Cause
The token type hint parameter in the token revocation or introspection request is not recognized by the authorization server, often due to a typo or unsupported value.
generic中文
令牌撤销或内省请求中的令牌类型提示参数未被授权服务器识别,通常由于拼写错误或不支持的值。
Official Documentation
https://tools.ietf.org/html/rfc7009#section-2.1Workarounds
-
90% success Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`.
Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`.
-
85% success Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect.
Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect.
-
70% success If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully.
If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully.
中文步骤
Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`.
Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect.
If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully.
Dead Ends
Common approaches that don't work:
-
60% fail
Some servers require the hint for revocation; without it, the request may fail or return an error.
-
80% fail
The server only recognizes standard token type hints; custom values are rejected.
-
70% fail
OAuth2 token revocation endpoints typically expect application/x-www-form-urlencoded format, not JSON.