How would I go about revoking permission for a 3rd party after the user has authenticated from their side (through authorization code flow)

The scenario is a user on a trusted 3rd party platform with client credentials has gone through our universal login (auth code flow) and now the 3rd party can access our API on their behalf using a refresh/access token.

How would I revoke the 3rd party access at the user’s request, is it just a case of revoking the refresh token they are holding for that user so they can’t get another access token? If so do I use the management API to do that? I have seen you can revoke the “authorized applications” tab against a user through the UI but it needs to be done programmatically.