diff --git a/app/services/current-user.js b/app/services/current-user.js
index bfe61503b..19ee97e31 100644
--- a/app/services/current-user.js
+++ b/app/services/current-user.js
@@ -32,6 +32,11 @@ export default Service.extend({
       // using authenticator:oauth2
       let jwt = this.get('session.data.authenticated.access_token');
 
+      // rejecting revoked tokens
+      if (ENV.JWT_BLACKLISTED.split(',').includes(jwt)) {
+        jwt = null;
+        this.get('flashMessages').danger('Unable to authenticate because the token has been revoked.');
+      }
       // RSA public key
       let cert = ENV.JWT_PUBLIC_KEY ? ENV.JWT_PUBLIC_KEY.replace(/\\n/g, '\n') : null;
 
diff --git a/config/environment.js b/config/environment.js
index 0dab7fd2e..987787f2e 100644
--- a/config/environment.js
+++ b/config/environment.js
@@ -70,6 +70,7 @@ module.exports = function(environment) {
     CLIENT_ADMIN_PASSWORD: process.env.CLIENT_ADMIN_PASSWORD,
     VERSION: pkg.version,
     APP_NAME: pkg.name,
+    JWT_BLACKLISTED: process.env.JWT_BLACKLISTED || '',
 
     APP: {
       // Here you can pass flags/options to your application instance