From c25ddc6d12fa367bbfc9ab5abed3f1dcc7e14195 Mon Sep 17 00:00:00 2001
From: Jason Judge <jason.judge@academe.co.uk>
Date: Sun, 6 Sep 2020 00:59:11 +0100
Subject: [PATCH] Issue #6 documentation for the revoke function

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index ba2880f..a23c9dd 100644
--- a/README.md
+++ b/README.md
@@ -80,6 +80,10 @@ $provider = new \Calcinai\OAuth2\Client\Provider\Xero([
  ]);
  ```
  
+Scopes are cumulative, meaning they will remain granted to the app for the user
+until authorisation is revoked. Every new authorisation flow can add new scopes
+that may not have been granted previously, and they will persist.
+ 
 ## Refreshing a token
 
 ```php
@@ -88,6 +92,20 @@ $newAccessToken = $provider->getAccessToken('refresh_token', [
 ]);
 ```
 
+## Revoking a token
+
+A token, or authorisation, for a user can be revoked completely.
+This can only be done through the API (a user cannot revoke their grants
+through the Xero UI, except by deleting their account).
+
+Revoking a token will result in all granted scopes, and all connected tenants
+being removed from the app for the authorising user.
+
+The refresh token is needed to revoke a grant:
+
+```php
+$provider->revoke($refreshToken);
+```
 
 ## Testing