This guide covers token management commands for security and session control.
Revoke your own authentication token (logout).
pangolin-admin revoke-tokenNone
# Logout by revoking your own token
pangolin-admin revoke-token✅ Token revoked successfully!
You have been logged out. Please login again to continue.
- Revokes the currently authenticated token
- Effectively logs you out
- You'll need to login again to use the CLI
- Cannot be undone
pangolin-admin revoke-token-by-id --id <TOKEN_ID>--id- UUID of the token to revoke (required)
# Revoke a specific token
pangolin-admin revoke-token-by-id --id "token-uuid"✅ Token token-uuid revoked successfully!
List all active tokens for a specific user.
pangolin-admin list-user-tokens --user-id <USER_ID>pangolin-admin list-user-tokens --user-id "user-uuid"Forcefully delete a token record.
pangolin-admin delete-token --token-id <TOKEN_ID>pangolin-admin delete-token --token-id "token-uuid"# When done working
pangolin-admin revoke-token# If a user's credentials are compromised
pangolin-admin revoke-token-by-id --id "compromised-token-uuid"# End all sessions for a user (requires listing tokens first)
# Note: Token listing endpoint may be needed
pangolin-admin revoke-token-by-id --id "token-1"
pangolin-admin revoke-token-by-id --id "token-2"- End of Work Session: Always revoke when done
- Security Incident: Immediately revoke compromised tokens
- User Offboarding: Revoke all tokens when user leaves
- Suspicious Activity: Revoke tokens showing unusual patterns
- Regular Rotation: Periodically revoke and re-issue tokens
Login → Token Issued → Work Session → Revoke Token → Logout
Each login creates a new token:
- Desktop: token-1
- Laptop: token-2
- CI/CD: token-3
Revoke individually or all at once.
# 1. Finish work
pangolin-admin list-catalogs
# 2. Logout
pangolin-admin revoke-token
# 3. Login again later
pangolin-admin login --username admin --password password# 1. Login as admin
pangolin-admin login --username admin --password password
# 2. Identify compromised token
# (from security logs or monitoring)
# 3. Revoke the token
pangolin-admin revoke-token-by-id --id "compromised-token-uuid"
# 4. Notify the user
echo "Token revoked. Please contact security."#!/bin/bash
# Rotate tokens for all service users weekly
# Get all service user tokens
# (requires token listing endpoint)
# Revoke old tokens
for token_id in "${OLD_TOKENS[@]}"; do
pangolin-admin revoke-token-by-id --id "$token_id"
done
# Users will need to re-authenticate401 Unauthorized:
Error: API Request Failed: Failed to revoke token (401): Not authenticated
- Solution: Login first
403 Forbidden:
Error: API Request Failed: Failed to revoke token (403): Insufficient permissions
- Solution: Only admins can revoke other users' tokens
404 Not Found:
Error: API Request Failed: Failed to revoke token (404): Token not found
- Solution: Token may already be revoked or invalid
- Purpose: User authentication
- Lifetime: Session-based
- Revocation: Via
revoke-tokencommands - Use: Interactive CLI sessions
- Purpose: Service-to-service auth
- Lifetime: Long-lived (30-90 days)
- Revocation: Via
rotate-service-user-key - Use: Automated systems, CI/CD
login- Authenticate and get a tokencreate-service-user- Create service user with API keyrotate-service-user-key- Rotate service user API keylist-service-users- List service users
- Tokens stored in
~/.pangolin/config - Protect this file (chmod 600)
- Never commit to version control
If a token is exposed:
- Immediately revoke it
- Change your password
- Review access logs
- Notify security team
- All token revocations are logged
- Review logs regularly
- Monitor for unusual patterns
- Always Logout: Revoke tokens when done
- Monitor Sessions: Track active tokens
- Quick Response: Revoke compromised tokens immediately
- Regular Rotation: Implement token rotation policies
- Least Privilege: Use service users for automation
- Audit Regularly: Review token usage logs