Revoke a Human Session

Invalidate a human API session explicitly instead of waiting for the access token to expire.

Best for CLI user and API client Updated April 3, 2026

CLI In this interface

4 steps Steps

2 interfaces Available in

Use this path when

Use the built-in revoke command for the currently stored human session.

What you'll finish here

Where this happens

Label	Value	Notes
Command	./backlog.sh auth revoke	Revokes the current stored human session.

Use the version that matches where you are working now. The subject matter stays the same; the delivery changes by surface.

Follow the REST API version of this task.

Follow the CLI version of this task.

Use PAT revocation for personal API keys and secret rotation for workspace automations. Do not use session revoke for those credential types.

1. Confirm that the current auth mode is a human session rather than a PAT or automation token.
2. Run `./backlog.sh auth revoke`.
3. Let the CLI clear the access token, refresh token, and in-memory app access token state after success.
4. Run `./backlog.sh status` if you want to confirm the profile is now unauthenticated.

Stay in the same interface and move to the next closest task in this topic when needed.

Start the OTP flow and send a sign-in code to the correct email address.

Complete the OTP flow, establish the human session, and move into the workspace or terminal workflow.

Keep a human API session alive by exchanging the refresh token for a fresh token pair.

These guides stay close to the current workflow so you can keep moving without restarting discovery.

Revoke a human-owned API key by credential id when it is obsolete, leaked, or no longer appropriate for the workflow.