You can revoke a refresh token, which helps in revoking the associated access tokens. To revoke refresh tokens, use the REST API calls to the token revocation endpoint. For information about using REST calls to revoke a refresh token, see the NetIQ Access Manager 5.0 Administration API Guide.
For the MobileAccess application, use the Access Manager user portal for unregistering a device. For example, a user who lost a registered device can unregister the device from the user portal page. However, if you are not using MobileAccess, ensure that the user is logged out of OAuth. To achieve this, the API request for the access token must include the device ID and user details. If the device ID is specified during the request, you can revoke the refresh token for the configured device. For information about API requests, see the NetIQ Access Manager 5.0 Administration API Guide.
NOTE:You can revoke only the refresh tokens that are in the JWT format.