Overview#OAuth 2.0 Token Revocation is defined in RFC 7009
The OAuth 2.0 core specification RFC 6749 defines several ways for a OAuth Client to obtain refresh and Access Token. This specification supplements the core specification with a mechanism to revoke both types of tokens. A token is a string representing an authorization grant issued by the resource Owner to the OAuth Client. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same Authorization Grant and the Authorization Grant itself.
From an end-user's perspective, OAuth 2.0 is often used to log into a certain site or application. This revocation mechanism allows a OAuth Client to invalidate its tokens if the end-user logs out, changes identity, or uninstalls the respective application. Notifying the Authorization Server that the token is no longer needed allows the Authorization Server to clean up data associated with that token (e.g., session data) and the underlying Authorization Grant. This behavior prevents a situation in which there is still a valid Authorization Grant for a particular OAuth Client of which the end-user is not aware. This way, token revocation prevents abuse of abandoned tokens and facilitates a better end-user experience since invalidated Authorization Grants will no longer turn up in a list of Authorization Grants the authorization server might present to the end-user.