DELETE http://keystone:35357/v2.0/tokens/{token_id} is definitely a supported call (it was just never included in the original spec), but only for the admin API in v2 (it's never been exposed to the service API on :5000 as far as I know). Prior to v3, there were several requests to add the same call to the "service" API (allowing users to delete their own tokens), which is effectively analogous to a user logging themselves out.
Identity API v3 adds documented support for a similar call (DELETE /v3/auth/tokens):
And Identity API v3 does not distinguish between user-facing and admin-facing calls (instead, leaving that determination up to policy enforcement). The default policy in keystone for the v3 call allows for "admin or owner" to revoke a token, but given that tokens are bearer tokens, if you possess a token, you can also revoke it.
+1 for everything Brant said.
DELETE http:// keystone: 35357/v2. 0/tokens/{token_id} is definitely a supported call (it was just never included in the original spec), but only for the admin API in v2 (it's never been exposed to the service API on :5000 as far as I know). Prior to v3, there were several requests to add the same call to the "service" API (allowing users to delete their own tokens), which is effectively analogous to a user logging themselves out.
Identity API v3 adds documented support for a similar call (DELETE /v3/auth/tokens):
https:/ /github. com/openstack/ keystone- specs/blob/ master/ api/v3/ identity- api-v3. rst#revoke- token
And Identity API v3 does not distinguish between user-facing and admin-facing calls (instead, leaving that determination up to policy enforcement). The default policy in keystone for the v3 call allows for "admin or owner" to revoke a token, but given that tokens are bearer tokens, if you possess a token, you can also revoke it.