Token Revocation (RFC 7009)

An OAuth 2.0 endpoint defined in RFC 7009 that allows clients to explicitly notify the authorization server that a token is no longer needed, triggering its invalidation. Both access tokens and refresh tokens can be revoked. Revocation is used to implement logout, respond to security incidents, and clean up tokens when users disconnect applications. For JWTs, revocation requires server-side blocklists since the tokens are otherwise self-validating.