Revoke a Human Session

Invalidate a human API session explicitly instead of waiting for the access token to expire.

Best for CLI user and API client Updated April 3, 2026

API In this interface

4 steps Steps

2 interfaces Available in

Use this path when

Call the revoke endpoint with the bearer access token, the refresh token, or both.

What you'll finish here

Where this happens

Label	Value	Notes
Endpoint	POST /api/v1/auth/revoke	Revokes a human API session.

Use the version that matches where you are working now. The subject matter stays the same; the delivery changes by surface.

Follow the REST API version of this task.

Follow the CLI version of this task.

Use PAT revocation for personal API keys and secret rotation for workspace automations. Do not use session revoke for those credential types.

1. Send the current bearer access token in the `Authorization` header when available.
2. Include the `refreshToken` in the request body when you still have it.
3. Wait for the success response before clearing local auth state.
4. Delete locally cached session tokens immediately after a successful revoke.

Stay in the same interface and move to the next closest task in this topic when needed.

Start the OTP flow and send a sign-in code to the correct email address.

Complete the OTP flow, establish the human session, and move into the workspace or terminal workflow.

Keep a human API session alive by exchanging the refresh token for a fresh token pair.

These guides stay close to the current workflow so you can keep moving without restarting discovery.

Revoke a human-owned API key by credential id when it is obsolete, leaked, or no longer appropriate for the workflow.