Revocations

Revocations allow you to invalidate warrants before they expire. When you revoke a warrant, it's added to the Signed Revocation List (SRL) that authorizers check before granting access.

How Revocation Works

┌─────────────┐      ┌──────────────┐      ┌─────────────┐
│   Admin     │      │ Tenuo Cloud  │      │ Authorizer  │
│  Dashboard  │      │              │      │             │
└──────┬──────┘      └──────┬───────┘      └──────┬──────┘
       │                    │                     │
       │  Revoke Warrant    │                     │
       │───────────────────>│                     │
       │                    │                     │
       │  Regenerate SRL    │                     │
       │───────────────────>│                     │
       │                    │                     │
       │                    │    Fetch SRL        │
       │                    │<────────────────────│
       │                    │                     │
       │                    │   Signed List       │
       │                    │────────────────────>│
       │                    │                     │
       │                    │                     │  Check warrant
       │                    │                     │  against SRL

Revocation Protocol→

Creating a Revocation

Navigate to Revocations

Click Revocations in the sidebar

Create Revocation

Click Create Revocation

Enter Warrant Details

Warrant ID: The ID of the warrant to revoke (format: tnu_wrt_...)
Reason: Why the warrant is being revoked

Submit

Click Create to add the revocation

Regenerate SRL

Click Regenerate SRL to publish the updated revocation list

⚠️

Revocations are not effective until you regenerate the SRL. Authorizers only check the published SRL.

Signed Revocation List (SRL)

The SRL is a cryptographically signed list of all revoked warrant IDs:

Field	Description
Version	Incrementing version number
Issued At	When this SRL was generated
Expires At	When authorizers should fetch a new SRL
Revoked IDs	List of revoked warrant IDs
Signature	Ed25519 signature from your root key

SRL Status

The dashboard shows:

Current Version: The latest SRL version
Last Generated: When the SRL was last regenerated
Revocation Count: Number of active revocations

Regenerating the SRL

Click Regenerate SRL to:

Compile all active revocations into a new list
Sign the list with your root key
Increment the version number
Make it available to authorizers

Authorizers cache the SRL and refresh it periodically. There may be a short delay before revocations take effect globally.

Managing Revocations

View Revocation Details

Click on any revocation to see:

Warrant ID that was revoked
Revocation reason
Who created the revocation
When it was created

Delete a Revocation

To un-revoke a warrant:

Click on the revocation → Delete
Confirm the deletion
Regenerate SRL to publish the change

⚠️

Deleting a revocation re-enables the warrant. Make sure this is intentional.

Exporting the SRL

Download the SRL for debugging or offline verification:

Click Export in the Revocations page
Choose format:
- JSON: Human-readable format
- CBOR: Compact binary format (same as wire format)
- Base64: For embedding in configurations

Best Practices

Revoke promptly

When a warrant should no longer be valid (agent compromised, user offboarded), revoke immediately.

Document revocation reasons

Always provide a clear reason for revocations. This helps with auditing.

Regenerate SRL after batch changes

If adding multiple revocations, add them all first, then regenerate SRL once.

Monitor SRL fetch errors

If authorizers can't fetch the SRL, they may fail open or closed depending on configuration.

API Reference

Revocations API→

Key Management API Keys