vault token revoke: Revoke Tokens and Leases
vault token revoke invalidates a token immediately, along with its child tokens and associated leases.
Short TTLs limit exposure, but revoking at the end of a job removes a leaked token right away. revoke supports self-revocation and revocation by accessor for cleanup.
What it does
vault token revoke invalidates a token. By default it also revokes the token children and any leases they created (a tree revocation). -self revokes the calling token; -accessor revokes by accessor; -mode=orphan revokes the token but keeps its children.
Common usage
vault token revoke -self
# revoke a specific token by accessor (no token value needed)
vault token revoke -accessor hmac-...
# revoke without killing children
vault token revoke -mode=orphan s.SOMETOKENOptions
| Flag | What it does |
|---|---|
| -self | Revoke the calling token |
| -accessor | Revoke by token accessor instead of value |
| -mode=orphan | Revoke the token but orphan its children |
| -mode=path | Revoke all tokens under a given auth path (sudo) |
In CI
Add vault token revoke -self to a job teardown so a token cannot outlive the run even if its TTL is long. Revoking by -accessor is ideal for a janitor step: it can clean up tokens it can identify but never possess. Self-revocation needs only the default policy.
Common errors in CI
"permission denied" revoking another token means you lack auth/token/revoke or revoke-accessor; self-revocation works with default. Revoking an already-revoked or expired token returns success (idempotent). -mode=path requires sudo on auth/token/revoke-orphan style paths and is an admin operation.