htdestroytoken.html

<!-- Creator     : groff version 1.22.3 -->
<!-- CreationDate: Thu Nov 13 15:57:54 2025 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
       h1      { text-align: center }
</style>
<title>htdestroytoken</title>

</head>
<body>

<h1 align="center">htdestroytoken</h1>

<a href="#NAME">NAME</a><br>
<a href="#SYNOPSIS">SYNOPSIS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>

<hr>


<h2>NAME
<a name="NAME"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">htdestroytoken
&minus; remove bearer and vault tokens</p>

<h2>SYNOPSIS
<a name="SYNOPSIS"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em"><b>htdestroytoken</b>
[-h] [-q] [-f [htgettoken options]]&quot;</p>

<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em"><b>htdestroytoken</b>
by default removes a bearer token found by WLCG Bearer Token
Discovery and also removes a vault token found either by the
environment variable $VAULT_TOKEN_FILE or in the default
location used by <b>htgettoken</b>.</p>

<p style="margin-left:11%; margin-top: 1em">Note that the
vault server additionally caches refresh tokens and bearer
tokens, so this alone does not completely clear them. The
<i>-f</i> option (described below) can remove the refresh
token to force a new oidc authentication. If that is not
used and <b>htgettoken</b> is subsequently run and gets a
new vault token with one of the non-oidc authentication
methods, it is possible that the same bearer token might be
returned from the vault cache unless a new one is forced to
be retrieved with an <b>htgettoken</b>
<i>&minus;&minus;minsecs</i> option.</p>

<h2>OPTIONS
<a name="OPTIONS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">The following
options are recognized:</p>

<table width="100%" border="0" rules="none" frame="void"
       cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">


<p><b>&minus;h</b></p></td>
<td width="8%"></td>
<td width="32%">


<p>Show help message.</p></td>
<td width="46%">
</td></tr>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">


<p><b>&minus;q</b></p></td>
<td width="8%"></td>
<td width="32%">


<p>Do removals silently.</p></td>
<td width="46%">
</td></tr>
</table>

<p style="margin-left:11%;"><b>&minus;f [htgettoken
options]</b></p>

<p style="margin-left:22%;">Force a removal of the refresh
token in vault before removal of the vault token, if the
vault token is valid. This runs <b>htgettoken</b> to locate
the path in vault to remove, so sufficient options to locate
that path such as <i>&minus;a</i>, <i>&minus;i</i> and
possibly <i>&minus;r</i> need to either be passed on the
rest of the command line or in the $HTGETTOKENOPTS
environment variable. If this option is given and the
removal of the refresh token fails, the command will exit
and not remove the vault or bearer tokens.</p>

<h2>AUTHOR
<a name="AUTHOR"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">Dave
Dykstra</p>

<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">Copyright
&copy; 2023 Fermi National Accelerator Laboratory</p>

<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">htgettoken(1),
htdecodetoken(1)</p>
<hr>
</body>
</html>