Yup. That is correct. However, what we also plan on doing is that you can add blacklisting for certain APIs. Like all POST APIs can check the blacklist, whilst all GET APIs need not do that. This means that your GET APIs (which are most frequently called) will be super fast, whilst your POST APIs will get the benefit of immediate revocation. As a note, we also plan on supporting opaque access tokens. We just started off with JWTs since that's what the majority of the people we had spoken to wanted.