Firstly, Thanks for all your help. Your replies have always been very helpful.
The question I have is whether there is a way to invalidate an AccessToken.
I see there is an endpoint to invalidate a Refresh Token, but the access token generated initially is still valid. Is there a way to invalidate the accesstoken as well, at the same time as the refresh token invalidation or another explicit call later.