PingFederate uses a pre-installed HSQLDB database as its persistent grant datastore after the initial setup. We strongly recommend to use a secured external storage for production deployments. Supported storage platforms database server, directory servers, and other storage solutions through the use of the PingFederate SDK.

Persistent grants (and the associated attributes and their values, if any) remain valid until the grants expired or are explicitly revoked or cleaned up.

PingFederate removes expired grants and the associated attributes from the grant datastore once a day. The frequency and the size of the cleanup batch are configurable. Optionally, PingFederate can put a cap on the number of persistent grants on a basis of the combination of user, client, and grant type.

For revocation, PingFederate provides two endpoints.

Token revocation endpoint
The token revocation endpoint allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. The revocation request invalidates the actual token and possibly other tokens based on the same authorization grant.
Grant-management endpoint
The grant-management endpoint allows resource owners to view and optionally revoke the persistent access grants they have authorized.

The token revocation endpoint is intended for OAuth clients; this is the endpoint, to which clients send their token revocation requests. The grant-management endpoint is for resource owners. It displays a list of grants the resource owners have made. Resource owners can view and optionally revoke one or more grants as they see fit.