Skip to content
Latchkey

vault token revoke: Revoke Tokens and Leases

vault token revoke invalidates a token immediately, along with its child tokens and associated leases.

Short TTLs limit exposure, but revoking at the end of a job removes a leaked token right away. revoke supports self-revocation and revocation by accessor for cleanup.

What it does

vault token revoke invalidates a token. By default it also revokes the token children and any leases they created (a tree revocation). -self revokes the calling token; -accessor revokes by accessor; -mode=orphan revokes the token but keeps its children.

Common usage

Terminal
vault token revoke -self
# revoke a specific token by accessor (no token value needed)
vault token revoke -accessor hmac-...
# revoke without killing children
vault token revoke -mode=orphan s.SOMETOKEN

Options

FlagWhat it does
-selfRevoke the calling token
-accessorRevoke by token accessor instead of value
-mode=orphanRevoke the token but orphan its children
-mode=pathRevoke all tokens under a given auth path (sudo)

In CI

Add vault token revoke -self to a job teardown so a token cannot outlive the run even if its TTL is long. Revoking by -accessor is ideal for a janitor step: it can clean up tokens it can identify but never possess. Self-revocation needs only the default policy.

Common errors in CI

"permission denied" revoking another token means you lack auth/token/revoke or revoke-accessor; self-revocation works with default. Revoking an already-revoked or expired token returns success (idempotent). -mode=path requires sudo on auth/token/revoke-orphan style paths and is an admin operation.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →