Revoke Token endpoint and PKCE flow

This page makes a point of stating that using the Application Secret in an app where users could potentially see the source code is bad:

“If you have a public client that is unable to use registered client secrets or an application running in a browser or on a mobile device, you must use the OAuth PKCE flow. You should also choose the OAuth PKCE flow if you have a native desktop application, a single-page web application, or a mobile application.”

But the revoke token endpoint seems to explicitly require the application secret:

How should I call the Revoke Token endpoint if I’m trying to avoid including my Square application’s Application/Client Secret in an app that I give to users?

:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

OAuth API
OAuth Best Practices
Refresh, Revoke, and Limit Scope of OAuth Tokens

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

The Revoke Token endpoint should not be called directly from a client-side application, especially one that is public facing. Instead, revocation of tokens should be handled server-side in a secure environment where your application secret can be safely stored. This way, your application secret is not exposed in your client-side code. The client-side application can send a request to your server to trigger the revocation of the token.

This answer was reviewed by @Bryan-Square.

Thanks for the clarification.