A new platform for documentation and tutorials is launching soon.
We are migrating Vault documentation into HashiCorp Developer, our new developer experience.
token revoke revokes authentication tokens and their children. If a TOKEN
is not provided, the locally authenticated token is used. The
-mode flag can
be used to control the behavior of the revocation.
Revoke a token and all the token's children:
$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017 Success! Revoked token (if it existed)
Revoke a token leaving the token's children:
$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017 Success! Revoked token (if it existed)
Revoke a token by accessor:
$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da Success! Revoked token (if it existed)
The following flags are available in addition to the standard set of flags included on all commands.
(bool: false)- Treat the argument as an accessor instead of a token.
(string: "")- Type of revocation to perform. If unspecified, Vault will revoke the token and all of the token's children. If "orphan", Vault will revoke only the token, leaving the children as orphans. If "path", tokens created from the given authentication path prefix are deleted along with their children.
-self- Perform the revocation on the currently authenticated token.