Token Revocation (RFC 7009)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://statuscodefyi.com/iframe/glossary/token-revocation/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://statuscodefyi.com/glossary/token-revocation/Add a dynamic SVG badge to your README or docs.
[](https://statuscodefyi.com/glossary/token-revocation/)Use the native HTML custom element.
An OAuth 2.0 endpoint defined in RFC 7009 that allows clients to explicitly notify the authorization server that a token is no longer needed, triggering its invalidation. Both access tokens and refresh tokens can be revoked. Revocation is used to implement logout, respond to security incidents, and clean up tokens when users disconnect applications. For JWTs, revocation requires server-side blocklists since the tokens are otherwise self-validating.