Thanks for that, without going into ACL, I guess having a logoutUser resolver that adds the revoked token to a blacklist then having a permission query for all models that checks the current auth token against this blacklist would work.