OpenAPI relies on JSON Web Tokens (JWTs) for authorization, which carry 'claims' that are implicitly validated by the token's signature. Any token that is issued will be accepted by OpenAPI for the lifetime of that token, which for this reason is purposely kept short (typically 20 minutes). It is therefore not possible to outright revoke existing access tokens.
However, if for whatever reason you need to ensure potentially leaked tokens cannot be used indefinitely, the easiest way is to disallow the app from accessing your user account. This prevents the refresh token from being exercised to extend an existing session (by obtaining new access/refresh tokens) and forces any connected client that uses the application's credentials to log in again. Follow these steps to disconnect an application from your account:
Step 1 - Log into SaxoTraderGO.
Step 2 - Navigate to: Account -> Other.
Step 3 - Open the Application Access module and find the application you wish to disconnect. Note that this overview includes any application that the user has previously authorized.
Step 4 - Click the Remove button on the right and confirm to revoke access.
The next time the application attempts to refresh the OpenAPI session (through Code/PKCE/Implicit grant refresh request), the request is denied without providing further details. At this point the application has no valid tokens and is effectively disconnected from the user account.
More Resources