Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi All, when we are revoking access token, the refresh token associated with the session is also getting  revoked. we are using '/oauth2/revoke' endpoint. Is this an expected behavior? is there a way to revoke the access token alone?

No, I don't think you would need to revoke the access token alone?

Are you looking to revoke the consent sessions instead maybe?
<https://www.ory.sh/docs/hydra/reference/api#lists-all-consent-sessions-of-a-subject>

For reference this might also be helpful:
<https://www.ory.sh/docs/hydra/concepts/before-oauth2#access-and-refresh-tokens-arent-sessions|Access and Refresh Tokens aren't Sessions>

we are looking for a capability like the one mentioned here <https://developer.okta.com/docs/guides/revoke-tokens/main/#revoke-only-the-access-token>

this allows to revoke only the access token without affecting the refresh token

Then you should use this endpoint, it revokes the consent session and invalidates all associated access tokens

<https://www.ory.sh/docs/hydra/reference/api#operation/revokeConsentSessions>

this end point also revokes the refresh token associated, we tested it.