Revoking a refresh token

Written by

Yandex Cloud

Updated at January 13, 2026

Note

Once issued in the application, refresh tokens are automatically added to the user profile.

To revoke a refresh token for a federated user:

Cloud Center UI

CLI

API

Log in to Yandex Identity Hub using an administrator or organization owner account.
In the left-hand panel, click Users.
Locate the user in the list. Use the filter or search bar at the top of the screen as needed.
Navigate to the Refresh tokens tab.
Click next to the token and select Delete.
To revoke all tokens, click Delete all tokens.

You can also revoke your refresh tokens through the My account portal.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

View the description of the refresh token revocation command:
```
yc iam refresh-token revoke --help
```
To revoke certain refresh tokens, get their IDs first.
To revoke one or multiple refresh tokens for a user, run this command:

Warning

You can run the yc iam refresh-token revoke command without any additional parameters. In this case, it will revoke all refresh tokens for the user currently authenticated in the Yandex Cloud CLI.

When revoking all refresh tokens for the current user, the yc iam refresh-token revoke command will first prompt you to confirm this action in the terminal.
```
yc iam refresh-token revoke \
  --refresh-token <refresh_token_body_in_stdin>
  --refresh-token-id <refresh_token_ID> \
  --subject-id <user_ID> \
  --client-id <OAuth_app_ID> \
  --client-instance-info <OAuth_app_version>
```
Where:
- --refresh-token: Body of the refresh token to revoke. Provide the value in the standard input stream, stdin. This is an optional setting. Examples of use:
  - To provide the token body in a string: yc iam refresh-token revoke --refresh-token <<< "<refresh_token_body>".
  - To provide the token body in a file: yc iam refresh-token revoke --refresh-token < <path_to_refresh_token_body_file>.
  You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token.
- --refresh-token-id: ID of the refresh token to revoke. This is an optional setting.
  
  You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token-id.
- --subject-id: ID of the federated user whose refresh tokens you want to revoke. This is an optional setting. If not specified, the system will revoke the refresh tokens for the user currently authenticated in the Yandex Cloud CLI.
  
  By default, any federated user can revoke their refresh tokens. To revoke refresh tokens of other users, a user must have one of the following roles for the organization: organization-manager.federations.userAdmin or iam.userAccounts.refreshTokenRevoker.
- --client-id: ID of the OAuth application you want to revoke refresh tokens for, e.g., yc.oauth.public-sdk for the Yandex Cloud CLI. This is an optional setting.
- --client-instance-info: Version ID of the OAuth application you want to revoke refresh tokens for, e.g., yc/0.141.0. This is an optional setting.
Result:
```
done (3s)
refresh_token_ids:
  - dda5243b-34b9-415e-a534-fdb8********
  - 07998b66-9f3d-472b-9357-a904********
```

Use the revoke REST API method for the RefreshToken resource or the RefreshTokenService/Revoke gRPC API call.

Refresh tokens are also automatically deleted seven days after their lifetime expires.

Revoking a refresh token

Was the article helpful?