@steep-lamp-91158 @magnificent-energy-493 I’m using Ory Hydra in my application, which serves as the identity provider. The application supports two authentication modes — Local User and LDAP — but a user can only use one mode at a time. When the admin changes the authentication mode, we want to revoke all access, refresh, and ID tokens so that all currently logged-in user sessions are automatically logged out. I tried using the Ory Hydra Admin API

/admin/oauth2/tokens

, but it only deletes the access token — the refresh token remains valid. How can this be achieved properly using Ory Hydra?

To ensure all logged-in sessions are actually logged out immediately upon an authentication mode change, it is best to: • Revoke all tokens (access, refresh, ID tokens) associated with the user, which invalidates their token-based access. For this you can use

POST /oauth2/revoke

endpoint to revoke individual tokens or

DELETE /admin/oauth2/auth/sessions/consent

endpoint to revoke a subject's granted consent sessions and invalidates all associated OAuth 2.0 Access Tokens. • Invalidate or revoke the user sessions explicitly so that browser cookies or session tokens are removed/inactivated. For this you can use

DELETE /admin/oauth2/auth/sessions/login

endpoint. This will revoke all login sessions for the user, requiring them to log in again.