Clear User Session - Oauth tokens can not be revoked


I am trying to use Users Sessions api ( /api/v1/users/:uid/sessions) to clear all the sessions of user and revoke Oauth tokens at the same time.

The problem is that user’s sessions are destroyed but the Oauth tokens are not revoked.

This api is described here in the documentation:

The request headers are like this:

DELETE /api/v1/users/{uid}/sessions/?oauthTokens=true HTTP/1.1
Accept: application/json
Content-Type: multipart/form-data;
Authorization: SSWS {apiKey}
Cache-Control: no-cache
Postman-Token: 4c331971-08bd-e696-c55f-835d3833d9fb

Do you guys have any idea about this?

Thanks a lot!

Hmm, how are you verifying that the user’s tokens are revoked? Are you using the token introspection endpoint? Or using a JWT verifier library?

I am using Okta’s introspection endpoint.

What response are you getting back from the introspection endpoint? Just want to make sure I’m not missing anything here.

The response is 204 No Content. After I called the introspection endpoint, user’s sessions were destroyed but the OAuth tokens were not revoked.