Also complicating things, the AuthorizationCode expires after 10 minutes. So apparently the only way to get a new code to revoke the user's token is for them to sign in again, which is a strange user experience when they are trying to delete their account and revoke authentication.

The API IS working provided the token is correct - the 200 and 400 responses are very unhelpful. The AuthorizationCode you receive with the sign-in token has to be sent to auth/token along with client id and client secret requesting a grant_type of authorization_code. The token you get back from this call is what you use in the token field of the auth/revoke form. The documentation for all of this is very confusing and the parameter names don't help.

https://stackoverflow.com/questions/72556424/how-to-validate-the-apple-revoke-token-api-appleid-apple-com-auth-revoke-succe/72656409#72656409

The api does nothing. We get 200 responses from all calls - new Tokens, old tokens, placeholder data - it doesn't seem to matter. We got 400 errors invalid_client for empty payload or non-encrypted form data, otherwise 200. It DOES NOT revoke authorization for any token we've posted. The only way we've successfully revoked token authentication is via ios privacy settings, or user security page. This api is not working.