Skip to main content
Revoking a token immediately blocks every request that presents it. Use revocation when you need a hard stop: a credential you suspect has been exposed, a service account for a departing employee, or an integration you are decommissioning. Unlike rotation, revocation is permanent — the token cannot be re-activated after it is revoked.
Revocation is irreversible. Once you revoke a token, any service still using it will receive 401 Unauthorized on every request. Create a replacement token before revoking if you need continued access.

When to revoke a token

  • Suspected compromise — a token secret appeared in logs, was committed to a repository, or was shared outside your team.
  • Employee offboarding — a team member who held or had access to a token is leaving the organization.
  • End of project or integration — the service that used the token is being retired and the credential is no longer needed.
  • Policy enforcement — your security policy requires periodic cleanup of unused tokens.

Revoke a single token

1

Open the Tokens page

Log in at app.tooken.io and click Tokens in the left sidebar.
2

Find the token to revoke

Locate the token by name or use the search field. Click the token row to open its detail view.
3

Revoke the token

Click Revoke in the token detail panel. A confirmation dialog appears warning you that this action is permanent.
4

Confirm revocation

Click Confirm revoke. The token status changes to revoked immediately, and all subsequent requests using that token are rejected.
If you have webhooks configured, revoking a token triggers a token.revoked event sent to your webhook endpoints. You can use this event to trigger downstream cleanup workflows such as removing the token from a secrets manager.

Bulk revocation

To revoke multiple tokens at once — for example, all tokens belonging to a specific service — list the tokens by name prefix or scope, then loop through the results and revoke each one.
javascript
const apiKey = 'tok_live_xxxxxxxxxxxxxxxxxxxx';
const baseUrl = 'https://api.tooken.io/v1';

// Fetch all active tokens
const listResponse = await fetch(`${baseUrl}/tokens?status=active`, {
  headers: { 'Authorization': `Bearer ${apiKey}` },
});
const { data: tokens } = await listResponse.json();

// Revoke tokens whose names match a pattern
const targets = tokens.filter(t => t.name.startsWith('ci-staging'));

await Promise.all(
  targets.map(token =>
    fetch(`${baseUrl}/tokens/${token.id}`, {
      method: 'DELETE',
      headers: { 'Authorization': `Bearer ${apiKey}` },
    })
  )
);

console.log(`Revoked ${targets.length} token(s).`);
Before running a bulk revocation in production, log the list of matched tokens to confirm you are targeting the right set. Revocation is permanent and cannot be undone.

Next steps

Rotate token secrets

Issue a new secret for an existing token while keeping the same ID and scopes — a non-destructive alternative to revocation.

Create a new token

Generate a replacement token with the scopes and expiration policy your service needs.