...
When you use the refresh grant to get a new access token, the refresh token is renewed by default. To change this behavior, set the <RenewRefreshTokenForRefreshGrant> element to false. The new refresh token has a new expiry time and the previous refresh token becomes inactive. To change the expiry time of your refresh token, set the <RefreshTokenValidityPeriod> element is in seconds.
Revoking access tokens
After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling the Revoke API using a REST Client. The Revoke API's endpoint URL is https://gateway.api.cloud.wso2.com/revoke. The parameters required to invoke this API are as follows:
...