In common OAuth/OpenID Connect flows, how are access tokens rotated and revoked?

Access tokens are kept short-lived so exposure is limited, and they are rotated when they expire or after a re-authentication event. When a refresh token is used, the authorization server can issue a new access token and often a new refresh token as well, which reduces the risk if a token is stolen. Refresh tokens are long-lived and empower continued access without re-prompting the user; they can be revoked by the authorization server, for example on user sign-out or if compromise or abuse is detected. To enforce revocation, systems maintain token revocation lists or perform token introspection to check validity before granting access. This approach contrasts with the idea that tokens never rotate or cannot be revoked, or that revocation only happens during maintenance mode.