If I recall correctly, there is no TTL for the tokens (I am still using mine which are ~one year)
As for revoking permission - I don’t believe there is a way to do it via the API, the user would have to go into their Connections page and disconnect from there.
Thanks, @Larklen, that is what I read so far online. No TTL for access token and seems to be active until manually revoke it from UI. And no API to revoke token. Not standard OAuth implementation though.