Ok, so firstly, lets clear a couple of things up.
Regarding the auth/revoke API, the data part where you provide the token is for the user to logout...
e.g. --data 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'
Secondly, as the SECRET_TOKEN_OF_USER_TO_LOG_OUT may have a + character, you should use --data-urlencode otherwise they get converted to spaces (need to check if this has changed in node-red/node-js/express since docs were written)
e.g. --data-urlencode 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'
Lastly, sending an auth/revoke request will not instruct the browser to redirect since the request goes to the server-side/node-red & the browser is in client-side/user-land. HOWEVER, if you are successful in revoking the token, operations within node-red will not be possible (e.g. clicking an inject will show Error: unexpected error (401) error refreshing the page would take the user to the login screen
PS: There may be multiple tokens from multiple browsers for the same user. Just because you revoke 1 "admin" account login, does not mean all browsers logged in as "admin" are suddenly revoked.
Full example...
curl --data 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT' -H "Authorization: Bearer A_LOGGED_IN_USER_SECRET_TOKEN" http://localhost:1880/auth/revoke
