Comment 3 for bug 1331790

+1 for everything Brant said.

DELETE http://keystone:35357/v2.0/tokens/{token_id} is definitely a supported call (it was just never included in the original spec), but only for the admin API in v2 (it's never been exposed to the service API on :5000 as far as I know). Prior to v3, there were several requests to add the same call to the "service" API (allowing users to delete their own tokens), which is effectively analogous to a user logging themselves out.

Identity API v3 adds documented support for a similar call (DELETE /v3/auth/tokens):

  https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#revoke-token

And Identity API v3 does not distinguish between user-facing and admin-facing calls (instead, leaving that determination up to policy enforcement). The default policy in keystone for the v3 call allows for "admin or owner" to revoke a token, but given that tokens are bearer tokens, if you possess a token, you can also revoke it.