Global Token Revocation (GTR) does not work for new applications, and stopped working for existing ones after they were updated in the Okta Access Gateway (OAG) Admin UI. 

• Okta Access Gateway(OAG)
• Global Token Revocation (GTR)

The API endpoint in Okta that handles GTR has been updated. As a result, when OAG sends the application payload to Okta when creating or updating an application, the GTR-specific request gets ignored. 

OAG payload request has been updated and will be available in the October 2025 release. For OAG versions below Oct 2025, the workaround described in the Solution section is required to enable GTR functionality. This must be applied each time a new application is created or an existing one is updated.

Enable GTR through the Okta Admin Console by following the steps below:

1. Log in to the Okta Admin Console.
2. Search the affected OAG application in the search bar or under Applications. Click on the application to get the detailed view. 
3. Scroll down in the General tab and edit the Logout section. 
4. Do the following changes in the Logout section: 
   1. Click on the checkbox for Okta system or admin initiates logout. 
   2. For Endpoint URL, enter https://<public_domain>/oag-session/gtr (where <public_domain> will be the public domain of the affected OAG application - for example header.domain.tld).
   3. For Subject format, select Email Identifier.
   4. Click on Save to commit the changes.

The following screenshot is an example of how the changes should look: