API OAuth Token Revocation and Refresh Tokens

Status: public · Confidence: medium (0.825) · Basis: verified_sources

## TL;DR

OAuth revocation and refresh-token evidence helps agents decide whether an API credential issue needs token cleanup, session invalidation, or resource-server cache handling.

## Core Explanation

Access tokens and refresh tokens have different operational lifetimes. Revoking one token may or may not invalidate related tokens, depending on server policy and token type. Agents should avoid assuming that deleting a browser session, revoking a refresh token, or rotating a client secret has identical effect.

Useful evidence includes token type, client ID, grant type, scope, audience, token storage, revocation endpoint behavior, resource server cache TTL, sender constraints, and user session state. A safe recommendation names what must be invalidated and where enforcement actually occurs.

## Source-Mapped Facts

- RFC 7009 supplements OAuth 2.0 with a mechanism to revoke both refresh tokens and access tokens. ([source](https://www.rfc-editor.org/info/rfc7009))
- RFC 7009 says that if the token passed to a revocation request is an access token, the server may revoke the related refresh token as well. ([source](https://www.rfc-editor.org/info/rfc7009))
- RFC 9700 says sender-constrained tokens can use mutual TLS or DPoP to help prevent misuse of stolen and leaked access tokens. ([source](https://www.ietf.org/rfc/rfc9700.pdf))

## Further Reading

- [RFC 7009 OAuth 2.0 Token Revocation](https://www.rfc-editor.org/info/rfc7009)
- [RFC 9700 OAuth 2.0 Security Best Current Practice](https://www.ietf.org/rfc/rfc9700.pdf)