Token revocation list

Token Revocation List (TRL) are the only way for revoke tokens or application.

Tokens can be revoked via TRLs (Token Revocation Lists)

Activate TRL support

Uncomment TRL (TOKEN REVOCATION LIST) section in Warp 10 configuration file.

In /path/to/warp10/etc/conf.d/00-warp.conf:

  • warp.trl.dir: By default TRLs are located in the directory /path/to/warp10/etc/trl
  • warp.trl.scan.period: Changes inside TRL Path are scanned every 60000 ms by default. Warning, a file is read only once, even if the file is modified.
  • warp.trl.startup.delay

Hard Startup

When you start Warp 10, no TRL is loaded yet. During this short time, a revoked token can be accepted. The hard startup option mitigated this risk. When activated, if no TRL is loaded after the warp.trl.soft.startup delay, the token filter is locked.

By default Hard Startup is set to false.

TRL filename

The TRL filename should respect this pattern <name>.full.<generation timestamp>-<md5>.trl

The md5 is not used for content integrity, but only the detect a content change between the current loaded TRL and new TRL.

TRL format

The TRL have a simple text format. Even if it is not the most compact format, you can easily look if the token is revoke inside or not.

The file is formatted line per line. Each line should contains:

  • a token identifier (Ident, 64 bits SipHash of serialized thrift structure)
  • an application name (prefixed with the character '+')
  • a comment (prefixed with the character '#')


# specific token revoked
# specific application revoked

Note: the token identifier if given with the token delivery.