First-party apps like the Okta Dashboard or Okta Admin Console have a client ID different from the App ID. Passing the App ID of First Party Apps as the Client ID in the request results in a 404 with the error summary:

Not found: Resource not found: 0oa... (PublicClientApp).

This can occur if the App ID is mistakenly used instead of the Client ID when revoking refresh tokens issued for the specified User and Client.

The request works when the App ID matches the Client ID (such as for a custom OpenID Connect application).

• Calling DELETE on /api/v1/users/${userId}/clients/${clientId}/tokens for a First Party Application.

This is by design, since the Revoke All Refresh Tokens API expects the Client ID.  

1. To identify the Client ID for First Party Apps like the dashboard or Okta Admin Console, search the system log for a token grant or authorization request for the relevant app.

2. The Client ID can be found under Actor > ID.

3. Call DELETE on /api/v1/users/${userId}/clients/${clientId}/tokens with the Client ID.