Short answer: Yes, you can revoke refresh tokens along with access tokens by revoking the user’s consent; refresh usage should then fail. Details: - Revoking consent via revokeOAuth2ConsentSessions invalidates all tokens linked to that consent. With graceful refresh token rotation, all refresh tokens issued within the same consent (and their chains) are linked; revoking one (or the consent) invalidates all associated tokens. This causes refresh attempts to fail after revocation (for the whole token chain) ([Graceful refresh token rotation – example behavior](https://www.ory.sh/docs/hydra/guides/graceful-token-refresh#example-behavior-with-grace-period-and-reuse-count), [Revoke user consent](https://www.ory.sh/docs/oauth2-oidc/revoke-consent)). - Ory issues opaque refresh tokens specifically so they can be immediately revoked; revocation is immediate for opaque tokens ([Opaque and JWT access tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token)). - If you need to revoke a specific access or refresh token directly, use the token revocation endpoint (/oauth2/revoke) or the CLI (ory revoke token / hydra revoke token). Revoking a refresh token also invalidates the access token it created ([API revokeOAuth2Token](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json), [CLI ory revoke token](https://www.ory.sh/docs/cli/ory-revoke-token#ory-revoke-token), [CLI hydra revoke token](https://www.ory.sh/docs/hydra/cli/hydra-revoke-token#hydra-revoke-token)). If your refresh token still works after consent revocation, that would be unexpected per the docs above. Double‑check you are: - Targeting the correct subject/client (or using all=true), and - Using tokens that belong to the revoked consent request (especially when graceful rotation is enabled and token chains are in play) ([Revoke user consent](https://www.ory.sh/docs/oauth2-oidc/revoke-consent), [Graceful refresh token rotation](https://www.ory.sh/docs/hydra/guides/graceful-token-refresh)). If the issue persists, consider sharing request specifics (subject, client, whether graceful rotation is enabled, and token issuance timing) to diagnose further.