Token Revocation

Token revocation is defined in RFC 7009 as a way for a client application to tell the authorization server that a previously issued token should be invalidated. The client sends the token to the revocation endpoint, and the server marks it as no longer valid. The specification covers both access tokens and refresh tokens.

Revocation is important for scenarios where a token must be killed before its natural expiration. A user logging out, changing their password, or revoking consent are common triggers. Without revocation, the token would remain valid until it expires, leaving a window during which it could still be used.

The server responds with a success status regardless of whether the token was recognized, to prevent information leakage about valid tokens. When a refresh token is revoked, the server should also invalidate any access tokens that were issued from it.

For CIAM, token revocation provides customers and administrators with immediate control over active sessions and API access, which is essential for security and regulatory compliance.

Sources

• IETF RFC 7009, OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009