RFC 7009 — OAuth 2.0 Token Revocation by node

This document defines a mechanism for a client to notify an authorization server that a token is no longer needed, allowing the server to revoke it — a clean way to invalidate tokens on logout or compromise rather than waiting for expiry.