From an email:
Access Tokens cannot be revoked, by design.
I would like to talk about your implementation because it sounds like there is a problem with them persisting after logout. Logout means a series of things, it can mean deleting a token, it can mean ending a session with the auth server, or removing a cookie. In addition to ending the session (via the /logout endpoint) you must delete the token and thus “logout”.
Thanks,
Dan