GSSA-2026-04-30BV092026-04-255.1 Medium
`INVALIDATE_TOKENS` global revocation broken for OAuth user tokens
OAuth-issued JWTs were signed without a `createdAt` field, so the operator-facing `INVALIDATE_TOKENS` revocation switch silently no-op'd for all user tokens — only service tokens were affected.
OAuth-issued JWTs were signed without a createdAt field, so the operator-facing INVALIDATE_TOKENS revocation switch silently no-op'd for all user tokens — only service tokens were affected.