Different authorization servers have different policies as to when access tokens are revoked. Most typically enable the user to explicitly revoke access through an account management interface, though these interfaces can be difficult for users to find. Additionally, some API providers (such as Facebook) revoke outstanding access tokens when a user changes their password.

Applications are not usually informed when a user revokes access, and the specification does not define any way to implement a notification—the app will simply see an error the next time it attempts to use an access token or refresh the token stored for that user.

Facebook, however, does have a definable “Deauthorize callback URL” which performs a HTTP POST to your application when a user revokes access in the style of a WebHook. More information is available in Facebook’s developer documentation.

While users can revoke their access manually, some OAuth 2.0 authorization servers also allow tokens to be revoked programmatically. This enables an application to clean up after itself and remove access it no longer needs if, for instance, the user uninstalls the app.

Programmatic revocation is defined in a draft extension to the OAuth 2.0 specification and is implemented by popular OAuth providers such as Salesforce and Google. Salesforce allows for revocation of both refresh tokens and access tokens, while Google only enables revocation of refresh tokens. Here’s an example revocation request: ...