Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • All guides
    • Handling secrets that are available in the public domain
        • Getting an IAM token for a Yandex account
        • Getting an IAM token for a service account
        • Getting an IAM token for a federated account
        • Revoking an IAM token
          • Getting a list of refresh tokens
          • Revoking a refresh token
      • Managing static access keys
      • Managing API keys
      • Managing authorized keys
      • Creating a temporary access key using Security Token Service
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Step-by-step guides
  2. Authentication
  3. IAM tokens
  4. Refresh tokens
  5. Revoking a refresh token

Revoking a refresh token

Written by
Yandex Cloud
Updated at March 31, 2025

To revoke a refresh token for a federated user:

CLI
API

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. View the description of the refresh token revocation command:

    yc iam refresh-token revoke --help
    
  2. To revoke certain refresh tokens, get their IDs first.

  3. To revoke one or multiple refresh tokens for a user, run this command:

    Warning

    You can run the yc iam refresh-token revoke command without any additional parameters. In this case, it will revoke all refresh tokens for the user currently authenticated in the Yandex Cloud CLI.

    When revoking all refresh tokens for the current user, the yc iam refresh-token revoke command will first prompt you to confirm this action in the terminal.

    yc iam refresh-token revoke \
      --refresh-token <refresh_token_body_in_stdin>
      --refresh-token-id <refresh_token_ID> \
      --subject-id <user_ID> \
      --client-id <OAuth_app_ID> \
      --client-instance-info <OAuth_app_version>
    

    Where:

    • --refresh-token: Body of the refresh token to revoke. Provide the value in the standard input stream, stdin. This is an optional parameter. Example of use:

      • To provide the token body in a string: yc iam refresh-token revoke --refresh-token <<< "<refresh_token_body>".
      • To provide the token body in a file: yc iam refresh-token revoke --refresh-token < <path_to_refresh_token_body_file>.

      You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token.

    • --refresh-token-id: ID of the refresh token to revoke. This is an optional parameter.

      You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token-id.

    • --subject-id: ID of the federated user whose refresh tokens you want to revoke. This is an optional parameter. If not specified, the system will revoke the refresh tokens for the user currently authenticated in the Yandex Cloud CLI.

      By default, any federated user can revoke their refresh tokens. To revoke refresh tokens of other users, a user must have one of the following roles for the organization: organization-manager.federations.userAdmin or iam.userAccounts.refreshTokenRevoker.

    • --client-id: ID of the OAuth application you want to revoke refresh tokens for, e.g., yc.oauth.public-sdk for the Yandex Cloud CLI. This is an optional parameter.

    • --client-instance-info: Version ID of the OAuth application you want to revoke refresh tokens for, e.g., yc/0.141.0. This is an optional parameter.

    Result:

    done (3s)
    refresh_token_ids:
      - dda5243b-34b9-415e-a534-fdb8********
      - 07998b66-9f3d-472b-9357-a904********
    

Use the revoke REST API method for the RefreshToken resource or the RefreshTokenService/Revoke gRPC API call.

Was the article helpful?

Previous
Getting a list of refresh tokens
Next
Managing static access keys
© 2025 Direct Cursus Technology L.L.C.