View and Revoke Tokens

JFrog Platform Administration Documentation

Content Type
Administration / Platform

Any token created with expiry greater than the revocable-expiry-threshold parameter can be revoked using the Revoke Token by ID REST API endpoint or in the Access Tokens page in the UI. Note that you can only revoke a token on the instance (or cluster) that issued it unless that instance is part of an Access Federation setup (which requires an Enterprise+ license).Revoke Token by ID


Since 7.21.1, access tokens are scoped tokens. Access to the REST API is always provided by default; in addition, you may specify the group memberships that the token provides. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope). See Access Token Structure for details.

A token with an expiry specified will lapse automatically upon reaching its expiry period.

A token that is not expirable (i.e., was created with its expires_in parameter set to 0) must be actively revoked to terminate its usage.

To revoke an access token:

  1. From the Administration module, select User Management | Access Tokens.

  2. From the list, select an access token and click Revoke.

Choosing Whether a Token Gets the "Force Revocable" Flag in the REST API

From Artifactory 7.50.x, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called "force_revocable" in the Create Token REST API. (The "force revocable" flag previously determined whether to create an access token as “revocable”, regardless of any other configuration that might tell it otherwise.)

When this parameter is set to true, we will add the "force_revocable" flag to the token's extension. In addition, a new configuration has been added that sets the default for setting the "force_revocable" default when creating a new token - the default of this configuration will be "false" to ensure that the Circle of Trust remains in place.