Revoke a Principal or Device

What this is: cutting off someone's access — or a device's access — immediately and permanently. When you'd do it: someone leaves, a device is lost or stolen, or something looks compromised. How long it takes: under a minute. The system does the rest automatically.

Who can do this: an Admin. These screens only show up if your own login has the Admin role. A normal Operator login won't see the Revoke button — if it's missing, ask an admin to do this.

A quick word before you start: revocation is permanent. There is no undo button. If you revoke someone by mistake, the only way to restore their access is to onboard them again from scratch (see Onboard an Operator). Take a moment to make sure you have the right person or device before you click.

The shape of it

flowchart LR
    A["You open their<br/>page"] --> B["Click Revoke<br/>and confirm"]
    B --> C["All servers stop<br/>trusting them"]

One screen, one button, one confirmation. After that, every server in the network will refuse their tokens automatically — you don't need to touch anything else.

Before you start

• You're signed in to the Directory site as an admin.
• You know whether you're revoking a person (under Principals) or a device (under Devices).
• You're confident you have the right record. Remember: this cannot be undone.

Steps

Revoking a person

1. Open the people list. In the top menu, click Principals.

2. Find their record. Click their name to open their page.

3. Revoke them. In the Principal Info card, click Revoke Principal (the red button, bottom right of the card).

4. Confirm. A dialog appears:

Revoke this principal? Their tokens will be rejected by all servers within the revocation poll window.

Click OK to continue.

Revoking a device

1. Open the device list. In the top menu, click Devices.

2. Find the device. Click its callsign to open its page.

3. Revoke it. In the Device Info card, click Revoke Device (the red button, bottom right of the card).

4. Confirm. A dialog appears:

Revoke this device? Tokens for this device will be rejected by all servers within the revocation poll window.

Click OK to continue.

---

Note: if the Revoke button is greyed out, the system is protecting you from locking yourself out — you cannot revoke the last active principal or device in the system.

How to know it worked

• Their page now shows a red revoked badge next to their name.
• The Revoke button is gone — the page is now read-only.
• Within the revocation poll window, every server will start refusing their tokens. No further action needed on your part.

If something goes wrong

• You revoked the wrong person. There is no undo. To restore their access, onboard them again as a new principal — see Onboard an Operator. They will get a fresh profile and will need to re-register their security key.
• The Revoke button isn't there. Either the person/device is already revoked (check for the red badge), or you're viewing the page as a non-admin. Ask another admin to check.
• The button is greyed out. The system won't let you revoke the very last active principal or device — it prevents an accidental full lockout. Add another active principal or device first, then revoke this one.
• You're not sure if it's worked yet. The change is instant in the Directory. Servers pick it up automatically within the poll window — you don't need to restart anything or notify servers manually.

See also

• Operator training index
• Onboard an Operator — if you need to restore access after a mistaken revocation
• Onboard a device — to add a replacement device after revoking a lost one
• Security model — "how revocation spreads" explains how the poll window works

---

Verified against directory@e8287cd on 2026-06-07 — screens: resources/views/domains/admin/principals/show_principal.edge, .../devices/show_device.edge; logic: app/domains/admin/principals/principals_controller.ts. Principals and Devices are both top-level nav items (resources/views/components/layouts/main.edge).