Clearing Credentials

When you need to revoke access — switching machines, offboarding, or rotating credentials — crab logout handles both local cleanup and server-side token revocation.

How Logout Works

The logout process has two stages:

1. Token revocation — Crab sends the refresh token (or ID token as fallback) to the IdP's revocation endpoint. This invalidates the token server-side so it can't be reused.
2. Local deletion — The encrypted token file is removed from the cache directory regardless of whether revocation succeeded.

Revocation is best-effort. If the IdP is unreachable or has no revocation endpoint, local tokens are still deleted. Your machine is always cleaned up.

Usage

Log out from the current provider

crab logout
# Logged out (aws-oidc)

Log out from all providers at once

crab logout --all
# Logged out from all providers

This removes every token file in the cache directory — useful when switching machines or revoking access across all configured backends.

Behavior Details

• If no cached tokens exist, the command succeeds silently.
• Revocation requires auth.issuer_url and auth.client_id to be configured. If either is missing, only local deletion occurs.
• File-level locking prevents concurrent Crab processes from corrupting the cache during logout.
• The refresh token is preferred for revocation. If unavailable, the ID token is revoked instead.

Token Cache Location

Tokens live at ~/.config/crab/tokens/ (configurable via auth.token_cache_path). Each provider has its own encrypted file:

~/.config/crab/tokens/
├── aws-oidc.json.enc
├── gcp-workload-identity.json.enc
└── azure-entra.json.enc

crab logout deletes the file for the current provider. crab logout --all deletes all files in this directory.

CLI Reference

For complete command syntax and all available flags, see the crab logout reference.