The oauth_token_revocation feature allows to invalidate tokens before they expire. It can invalidate both access and refresh tokens; when you do revoke refresh tokens, you’ll also revoke its access token(s).
Applications who want a “logout” type of feature around OAuth; Revocation after token breaches.
plugin :rodauth do
enable :oauth_token_revocation
end
This endpoint requires client authorization. Any of the supported auth methods for the token endpoint can be used, as well as token verification (if the resource server issued an access token using the client credentials grant).
The revocation endpoint expects the following parameters:
token_type_hint: can be “access_token” or “refresh_token”;token: the access or refresh token to revoke;