I have a problem where the user still can call the API after logout the application by using POSTMAN. There is no problem with the browser side after logged out since I have removed the access token and clear the cookies. But the user still can call the API and get the results using POSTMAN, which means the back-end doesn’t invalidate the OAuth token. This may cause security issues if the person has the access code. I go through some examples like using refresh token/ shorten the access token lifetime (seems like nothing that I want). Are there any other ways to revoke the oAuth2 access token to prevent user to call the API after they have logout the application?