diff --git a/src/orangutan-server/src/main.rs b/src/orangutan-server/src/main.rs
index c3fac22..a6138a1 100644
--- a/src/orangutan-server/src/main.rs
+++ b/src/orangutan-server/src/main.rs
@@ -119,6 +119,8 @@ enum Error {
     UpdateContentError(#[from] update_content_routes::Error),
     #[error("Unauthorized")]
     Unauthorized,
+    #[error("Forbidden")]
+    Forbidden,
     #[cfg(feature = "templating")]
     #[error("Templating error: {0}")]
     TemplatingError(#[from] templating::Error),
diff --git a/src/orangutan-server/src/routes/debug_routes.rs b/src/orangutan-server/src/routes/debug_routes.rs
index 4ca681d..2f558a8 100644
--- a/src/orangutan-server/src/routes/debug_routes.rs
+++ b/src/orangutan-server/src/routes/debug_routes.rs
@@ -4,6 +4,7 @@ use chrono::{DateTime, Utc};
 use lazy_static::lazy_static;
 use rocket::{get, http::CookieJar, routes, Route};
 
+use super::auth_routes::REVOKED_TOKENS;
 use crate::{request_guards::Token, Error};
 
 lazy_static! {
@@ -24,6 +25,7 @@ pub(super) fn routes() -> Vec<Route> {
         get_user_info,
         errors,
         access_logs,
+        revoked_tokens,
     ];
     #[cfg(feature = "token-generator")]
     let routes = vec![routes, routes![
@@ -137,6 +139,21 @@ pub fn log_access(
     })
 }
 
+#[get("/_revoked-tokens")]
+fn revoked_tokens(token: Token) -> Result<String, Error> {
+    if !token.profiles().contains(&"*".to_owned()) {
+        Err(Error::Forbidden)?
+    }
+
+    let mut res = String::new();
+    for token in REVOKED_TOKENS.read().unwrap().iter() {
+        res.push_str(std::str::from_utf8(token).unwrap_or("<cannot parse>"));
+        res.push('\n');
+    }
+
+    Ok(res)
+}
+
 #[cfg(feature = "token-generator")]
 pub mod token_generator {
     use orangutan_refresh_token::RefreshToken;