Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments Framework
RFC 9770, “Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments Framework”, is a Proposed Standard document published in June 2025 by M. Tiloca, F. Palombini, S. Echeverria, G. Lewis. The canonical text is published by the RFC Editor.
Abstract
This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an authorization server to notify clients and resource servers (i.e., registered devices) about revoked access tokens. As specified in this document, the method allows clients and resource servers (RSs) to access a Token Revocation List (TRL) on the authorization server by using the Constrained Application Protocol (CoAP), with the possible additional use of resource observation. Resulting (unsolicited) notifications of revoked access tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on clients and RSs.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9770 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9769 NTP Interleaved Modes
- RFC 9771 Properties of Authenticated Encryption with Associated Data Algorithms
- RFC 9772 Active Operations, Administration, and Maintenance for Use in Generic Network Virtualization Encapsulation
- RFC 9767 Grant Negotiation and Authorization Protocol Resource Server Connections
- RFC 9773 ACME Renewal Information Extension
- RFC 9766 Extensions for Weak Cache Consistency in NFSv4.2's Flexible File Layout
- RFC 9774 Deprecation of AS_SET and AS_CONFED_SET in BGP
- RFC 9765 RADIUS/1.1: Leveraging Application-Layer Protocol Negotiation to Remove MD5