How to revoke a charmhub token?

sgeorget · 17 March 2025 08:52

Hi,

the Remote environments documentation describes how to generate a token to automate interactions with Charmhub.

If such a token was leaked, what would be the process to revoke it?

Regards,

suligap · 11 March 2026 08:14

Hi, /v1/tokens/revoke describes the API for revoking tokens.

I’m not aware of charmcraft CLI supporting this, but see an example list/revoke flow:

Export a token to use with curl: charmcraft login --export my-charmhub-login.
List tokens: curl -H "Authorization: Macaroon $(cat my-charmhub-login | base64 -d | jq -r .v)" https://api.charmhub.io/v1/tokens | jq .
Revoke the relevant token: curl -H "Authorization: Macaroon $(cat my-charmhub-login | base64 -d | jq -r .v)" https://api.charmhub.io/v1/tokens/revoke -H "Content-Type: application/json" -d '{"session-id": "<tokensessionidhere>"}' | jq .

beliaev-maksim · 13 March 2026 07:16

thanks,

updated to have an ultimate nuker

#!/bin/bash

# Configuration
TEMP_LOGIN="temporary_auth_token.json"

echo "--- Charmhub Token Revocation Utility ---"

# 1. Login and Export
# This will open your browser for Ubuntu One SSO
echo "1. Please log in to authorize the revocation process..."
charmcraft login --export "$TEMP_LOGIN"

if [ ! -f "$TEMP_LOGIN" ]; then
    echo "Error: Failed to export login. Exiting."
    exit 1
fi

# 2. Extract the Macaroon
echo "2. Extracting Macaroon for API access..."
MACAROON=$(cat "$TEMP_LOGIN" | base64 -d | jq -r .v)

# 3. Fetch all active session IDs
echo "3. Fetching list of all active tokens..."
# The jq filter .[] | .[]? ensures we grab the array inside the response object
SESSIONS=$(curl -s -H "Authorization: Macaroon $MACAROON" https://api.charmhub.io/v1/tokens | jq -r '.[] | .[]? | ."session-id" // empty')

if [ -z "$SESSIONS" ]; then
    echo "No active tokens found to revoke."
else
    echo "Found the following sessions: "
    echo "$SESSIONS"
    echo "----------------------------------------"

    # 4. Loop through and revoke each session
    for ID in $SESSIONS; do
        echo "Revoking session: $ID"
        RESPONSE=$(curl -s -X POST "https://api.charmhub.io/v1/tokens/revoke" \
            -H "Authorization: Macaroon $MACAROON" \
            -H "Content-Type: application/json" \
            -d "{\"session-id\": \"$ID\"}")
        
        # Check if successful
        if echo "$RESPONSE" | jq -e '.["revoked-at"]' > /dev/null; then
            echo "Successfully revoked."
        else
            echo "Failed or already revoked: $(echo $RESPONSE | jq -c .)"
        fi
    done
fi

# 5. Cleanup
echo "----------------------------------------"
echo "4. Cleaning up sensitive files and local session..."
rm -f "$TEMP_LOGIN"
charmcraft logout

echo "SUCCESS: All tokens associated with this account have been processed."
echo "You are now logged out. Run 'charmcraft login' when you are ready to start fresh."