Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Revoking a refresh token

Written by
Updated at May 26, 2025

To revoke a refresh token for a federated user:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. View the description of the refresh token revocation command:

    yc iam refresh-token revoke --help

  2. To revoke certain refresh tokens, get their IDs first.

  3. To revoke one or multiple refresh tokens for a user, run this command:

    Warning

    You can run the yc iam refresh-token revoke command without any additional parameters. In this case, it will revoke all refresh tokens for the user currently authenticated in the Yandex Cloud CLI.

    When revoking all refresh tokens for the current user, the yc iam refresh-token revoke command will first prompt you to confirm this action in the terminal.

    yc iam refresh-token revoke \
  --refresh-token <refresh_token_body_in_stdin>
  --refresh-token-id <refresh_token_ID> \
  --subject-id <user_ID> \
  --client-id <OAuth_app_ID> \
  --client-instance-info <OAuth_app_version>

    Where:

    • --refresh-token: Body of the refresh token to revoke. Provide the value in the standard input stream, stdin. This is an optional parameter. Example of use:

      • To provide the token body in a string: yc iam refresh-token revoke --refresh-token <<< "<refresh_token_body>".
      • To provide the token body in a file: yc iam refresh-token revoke --refresh-token < <path_to_refresh_token_body_file>.

      You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token.

    • --refresh-token-id: ID of the refresh token to revoke. This is an optional parameter.

      You cannot use any other yc iam refresh-token revoke parameters together with --refresh-token-id.

    • --subject-id: ID of the federated user whose refresh tokens you want to revoke. This is an optional parameter. If not specified, the system will revoke the refresh tokens for the user currently authenticated in the Yandex Cloud CLI.

      By default, any federated user can revoke their refresh tokens. To revoke refresh tokens of other users, a user must have one of the following roles for the organization: organization-manager.federations.userAdmin or iam.userAccounts.refreshTokenRevoker.

    • --client-id: ID of the OAuth application you want to revoke refresh tokens for, e.g., yc.oauth.public-sdk for the Yandex Cloud CLI. This is an optional parameter.

    • --client-instance-info: Version ID of the OAuth application you want to revoke refresh tokens for, e.g., yc/0.141.0. This is an optional parameter.

    Result:

    done (3s)
refresh_token_ids:
  - dda5243b-34b9-415e-a534-fdb8********
  - 07998b66-9f3d-472b-9357-a904********

Use the revoke REST API method for the RefreshToken resource or the RefreshTokenService/Revoke gRPC API call.

Previous
Getting a list of refresh tokens
Next
Managing static access keys