Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The act of invalidating an access or refresh token before it expires — e.g., via OAuth 2.0's RFC 7009 endpoint — to cut off compromised or unwanted access.
Token Revocation Definition: The act of invalidating an access or refresh token before it expires — e.g., via OAuth 2.0's RFC 7009 endpoint — to cut off compromised or unwanted access.
Token revocation is the process of invalidating an issued security token — such as an OAuth access token, refresh token, or session token — before its natural expiration, so it can no longer be used to access protected resources. It lets organizations cut off access immediately in response to compromise, logout, role changes, or user termination.
Mechanically, revocation depends on token type. Opaque tokens are validated against a server-side store, so deleting or flagging the record revokes them instantly. OAuth 2.0 defines a dedicated revocation endpoint in RFC 7009 where clients submit a token to be invalidated. Self-contained JWTs are harder: since they are validated by signature without a server lookup, revocation requires a denylist of token IDs (jti), rotation of signing keys, or short lifetimes paired with revocable refresh tokens checked at each renewal.
Revocation matters because tokens are bearer credentials — anyone holding a valid token is treated as the authenticated subject. Without a revocation path, a stolen or leaked token remains usable until it expires, leaving a window for unauthorized access that defenders cannot close. This is the core tension behind keeping access-token lifetimes short: stateless JWTs trade easy validation for weak revocability, so designs balance performance against the ability to terminate access on demand.
For example, when a user reports a stolen laptop, an identity provider can revoke that session's refresh token via the RFC 7009 endpoint and add the active access token's jti to a denylist. The next time the device tries to refresh or call an API, validation fails and access is denied — even though the original token had not yet expired.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →