After revoke api call token is still able to be used

I am using the revoke api call (…oauth2/default/v1/revoke) and after I do that I call introspect (…oauth2/default/v1/introspect) and I can see that the active status is now equal to false. however I can still use the token in Postman. should that be allowed? Do I need to do something else to make the token unusable?

Maybe I am misunderstanding what revoke is meant to do?

Are you sending the tokens to your own API (OAuth use case) or are you sending them to Okta to use against Okta’s APIs?

If sending to your own endpoints that you’re protecting with tokens issued by Okta, I recommend reviewing this thread which explains why you may be seeing this behavior.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.