How to Revoke Credentials

This guide shows you how to revoke API credentials that are no longer needed or may have been compromised.

Before You Start

Ensure you have:

• The client ID of the credential to revoke
• Admin access (credentials.write scope)
• Certainty that no systems depend on this credential

Revoke a Credential

1. Find the Client ID

List credentials to find the one you want to revoke:

arctic credentials list

2. Revoke the Credential

arctic credentials revoke CLIENT_ID

3. Verify Revocation

Confirm the credential no longer appears:

arctic credentials list

Immediate Effect

Revocation takes effect immediately:

• Existing access tokens issued to this credential become invalid
• New token requests with this credential will fail
• There is no grace period (unlike rotation)

When to Revoke

Consider revoking credentials when:

• Credential compromised: Someone gained unauthorized access
• Employee departure: Remove access for former team members
• Scope change: Replace with credentials having different permissions
• Cleanup: Remove unused credentials

Cannot Revoke Current Credential

You cannot revoke the credential you are currently using:

Error: cannot revoke the credential currently in use

To revoke your current credential:

1. Create new credentials: arctic credentials create
2. Update your config to use the new credentials
3. Revoke the old credential

Troubleshooting

Credential Not Found

If the client ID is not found:

1. Verify the client ID: arctic credentials list
2. The credential may have already been revoked

Cannot Revoke

If revocation fails:

1. Check you have credentials.write scope
2. Verify you are not revoking your current credential
3. Check agent logs for errors

Related

• Create Credentials
• Rotate Credentials
• credentials CLI Reference