This article explains that a refresh token must be revoked by the same Auth0 client that it was issued to when the /oauth/revoke endpoint is used to revoke the refresh token. An attempt to revoke a refresh token using a different client will not succeed. The token revocation endpoint supports this action for both confidential and public clients. 

• Refresh Tokens

• Token Revocation

• /oauth/revoke endpoint

• Confidential Clients

• Public Clients

When a revocation request is sent to the /oauth/revoke endpoint, the system validates that the client_id in the request matches the client_id associated with the refresh token. If the client IDs do not match, the token is not revoked. For security reasons, the endpoint will still return a 200 OK response, which can create the false impression that the revocation was successful.

To correctly revoke a refresh token, a POST request must be made to the /oauth/revoke endpoint using the credentials of the client application that originally obtained the token.

1. For Confidential Clients, the request must include the client_id and client_secret.

2. For Public Clients (e.g., native or single-page applications), the request must include the client_id. The client_secret should not be used as it isn't required when the application's "Token Endpoint Authentication Method" is set to "None".

The client making the revocation request must be the same client that was issued the refresh token.