htdestroytoken.1

.TH htdestroytoken 1
.SH NAME
htdestroytoken \- remove bearer and vault tokens

.SH SYNOPSIS
.B htdestroytoken
[-h] [-q] [-f [htgettoken options]]"
.SH DESCRIPTION
.B htdestroytoken
by default removes a bearer token found by WLCG Bearer Token Discovery and
also removes a vault token found either by the environment variable
$VAULT_TOKEN_FILE or in the default location used by 
.BR htgettoken .
.PP
Note that the vault server additionally caches refresh tokens and bearer
tokens, so this alone does not completely clear them.  The
.I -f
option (described below) can remove the refresh token to force a new
oidc authentication.
If that is not used and
.B htgettoken
is subsequently run and gets a new vault token with one of the non-oidc
authentication methods, it is possible that the same bearer token might
be returned from the vault cache unless a new one is forced to be
retrieved with an
.B htgettoken
.I \-\-minsecs
option.

.SH OPTIONS
The following options are recognized:
.PP
.TP
.B \-h
Show help message.
.TP
.B \-q
Do removals silently.
.TP
.B \-f [htgettoken options]
Force a removal of the refresh token in vault before removal of the
vault token, if the vault token is valid.  This runs
.B htgettoken
to locate the path in vault to remove, so sufficient options to locate
that path such as
.IR \-a ,
.I \-i
and possibly
.I \-r
need to either be passed on the rest of the command line or in the
$HTGETTOKENOPTS environment variable.
If this option is given and the removal of the refresh token fails,
the command will exit and not remove the vault or bearer tokens.

.SH AUTHOR
Dave Dykstra

.SH COPYRIGHT
Copyright \(co 2023 Fermi National Accelerator Laboratory

.SH "SEE ALSO"
htgettoken(1), htdecodetoken(1)