From 1c58092feb71bc7f2778a6a0c6c24dbe07e5460e Mon Sep 17 00:00:00 2001 From: fabiohidekihirose Date: Fri, 19 Jun 2026 15:58:23 +0900 Subject: [PATCH] feat: add note to TokenRevokeRequest and TokenRevokeResponse about 20-token-per-call limit --- .../java/com/authlete/common/dto/TokenRevokeRequest.java | 8 ++++++++ .../java/com/authlete/common/dto/TokenRevokeResponse.java | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/authlete/common/dto/TokenRevokeRequest.java b/src/main/java/com/authlete/common/dto/TokenRevokeRequest.java index a5ed98fdea..5c4c4e1bc8 100644 --- a/src/main/java/com/authlete/common/dto/TokenRevokeRequest.java +++ b/src/main/java/com/authlete/common/dto/TokenRevokeRequest.java @@ -79,6 +79,14 @@ * the API returns {@code 400 Bad Request}. *

* + * + *

+ * Bulk revocation with `clientIdentifier` only, `clientIdentifier` + `subject`, + * or `subject` only deletes at most **20 tokens per request** + * (the default of `token.revoke.count.max` in `ServerConfiguration.java`). If the + * target has more than 20 tokens, the response `count` will be 20 and the remainder + * is left untouched. To fully wipe them, call the endpoint repeatedly until `count` returns 0. + *

* * @since 3.26 * @since Authlete 2.2.29 diff --git a/src/main/java/com/authlete/common/dto/TokenRevokeResponse.java b/src/main/java/com/authlete/common/dto/TokenRevokeResponse.java index 3286520b27..9a4b9b4f8f 100644 --- a/src/main/java/com/authlete/common/dto/TokenRevokeResponse.java +++ b/src/main/java/com/authlete/common/dto/TokenRevokeResponse.java @@ -26,7 +26,11 @@ public class TokenRevokeResponse extends ApiResponse { private static final long serialVersionUID = 1L; - + /** + * If the + * target has more than 20 tokens, the response `count` will be 20 and the remainder + * is left untouched. To fully wipe them, call the endpoint repeatedly until `count` returns 0. + */ private int count;