DELETE /api/v2/device-credentials/{id} for revoking refresh token same behaviour than /oauth/revoke?

When I send a request to /api/v2/device-credentials/{id} to delete a refresh token, does it deletes just this token or all refresh tokens that were issued for the same user with the same grants (like /oauth/revoke endpoint) ?

The /oauth/revoke endpoint revokes the entire grant not just a specific token. Each revocation request invalidates all the tokens that have been issued for the same authorization grant.

The /api/v2/device-credentials/{id} endpoint deletes specific token. This call requires you to provide specific RT id as param

https://auth0.com/docs/tokens/guides/revoke-refresh-tokens

1 Like