...
When a user wishes to end their a session (typically when logging out), the session should be revoked, rendering the refresh token unusable.
Revoke a session using the User sessions API. A session can be revoked by providing either the refresh token or the session ID, or by revoking all of the user's active sessions at once.
A list of active sessions can be obtained through the get user sessions endpoint.
Access tokens cannot be revoked, but they will expire after a while. When a session is ended, any remaining unexpired access tokens should simply be discarded.