Revoke Tokens
Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions.
As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.