# OAuth2 error: invalid_token_type_hint - **ID:** `api/oauth2-invalid-token-type-hint` - **Domain:** api - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause The token type hint parameter in the token revocation or introspection request is not recognized by the authorization server, often due to a typo or unsupported value. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth 2.0 RFC 7009 | active | — | — | | Keycloak 23.0.0 | active | — | — | | Auth0 (2024) | active | — | — | | Okta 2024.01.0 | active | — | — | ## Workarounds 1. **Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`.** (90% success) ``` Ensure the token_type_hint parameter uses one of the standard values: 'access_token' or 'refresh_token'. Example: `POST /revoke HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\ntoken=abc123&token_type_hint=access_token`. ``` 2. **Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect.** (85% success) ``` Check the authorization server's documentation for supported token type hints. For Keycloak, also try 'id_token' if using OpenID Connect. ``` 3. **If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully.** (70% success) ``` If unsure, omit the token_type_hint parameter and let the server infer the type. Some servers (e.g., Auth0) support this gracefully. ``` ## Dead Ends - **** — Some servers require the hint for revocation; without it, the request may fail or return an error. (60% fail) - **** — The server only recognizes standard token type hints; custom values are rejected. (80% fail) - **** — OAuth2 token revocation endpoints typically expect application/x-www-form-urlencoded format, not JSON. (70% fail)