Maybe you could find some suggestions from this Handling account deletions and revoking tokens for Sign in with Apple - https://developer.apple.com/forums/thread/708415 As for revoke token here is one link https://stackoverflow.com/a/72656672/3011380 you could refer to.

Hi Ziddi Khattak, the correct token to revoke is access token or refresh token, rather than identity token. For details, please refer to this SO

Maybe you could refer to About Account deletion when users use the Sign in with Apple - https://developer.apple.com/forums/thread/706792?answerId=717873022#717873022

Finally, we could call revoke token api (appleid.apple.com/auth/revoke) successfully, and the apple id binding information is deleted under Apps Using Apple ID of Settings. The root cause is that the invalid token is used in my case. For details, please refer to this SO. And some details on this About Account deletion when users use the Sign in with Apple - https://developer.apple.com/forums/thread/706792?answerId=717873022#717873022

The three required values ​​are required for appleid.apple.com/auth/revoke. client_id: This is the App ID you can find in Apple Developer's Identifiers. Team ID is an excluded identifier, namely the bundle ID. client_secret: A secret JSON Web Token (JWT) that uses the Sign in with Apple private key associated with your developer account. You need to create it using JWT, and download key file from developer.apple.com/account/resources/authkeys/list token: A token that requires revoke. The token is access_token or refresh_token returned from auth/token. As for the auth/token, there are two additional parameters as below code: The authorization code received in an authorization response sent to your app. The code is single-use only and valid for five minutes. Authorization code validation requests require this parameter. It is the same to the authorizationCode key of the response of apple signing, and its type is base64. It should be decoded to utf-8 before assigning to auth/token API. grant_type: (Required) The grant type determines how the client app interacts with the validation server. Authorization code and refresh token validation requests require this parameter. For authorization code validation, use authorization_code. For refresh token validation requests, use refresh_token. Here is one sample of node.js on SO

Another question, is there any doc of invoice lookup API? I failed to find it. Is this API released or not for now?

Thank you for your update. Sorry for missing this important notification. The content-length: 0 of the response body, so the body is empty and prove it through pass body in code. Thanks