auth_token_revoked

Last updated Jun 14, 2026

Cause

Matter returns auth_token_revoked when the presented token hashes to a row that exists in the token table but whose revoked_at column is non-null. Tokens are revoked by an explicit POST /v1/tokens/{id}/revoke call, by automated rotation, by the secret-scanning pipeline if the secret has leaked to a public surface, or by an administrator action in the dashboard.

Revocation is permanent and forward-only — the secret is dead from the revoke timestamp onward. Historical AuditEntry rows that reference the revoked token are preserved unchanged so prior actions remain attributable for the SOC 2 trail. There is no un-revoke operation; recovery is always to mint a new token.

Fix

1. Identify why the token was revoked. Check the audit log at /api-reference/audit-entries for a token.revoked event and read the reason field.
2. If the revocation was a rotation, fetch the rotated successor from your secrets manager and redeploy. The rotation flow always issues the successor before the predecessor is killed.
3. If the revocation was due to a leak, treat any data the token could access as potentially exposed. Audit affected resources before issuing a replacement.
4. Mint a fresh token via createToken with the minimum scopes required, store it in your secrets manager, and redeploy.

Related codes

• auth_token_invalid — the token doesn't hash to any row at all.
• auth_token_expired — the token timed out rather than being explicitly revoked.
• auth_missing_credentials — no token was supplied.

API reference

• Tokens — /api-reference/tokens
• Revoke token — POST /v1/tokens/{id}/revoke
• Audit entries — /api-reference/audit-entries