Admin OAuth API

Admin-key authenticated endpoints for OAuth token management. All routes require Authorization: Bearer <admin_key> and are mounted under /api/v1/admin/.

POST /api/v1/admin/oauth/revoke-by-pattern

Bulk-revokes all active (non-revoked) OAuth tokens whose client_id matches a SQLite GLOB pattern.

Use cases

• Emergency rotation: revoke all tokens issued to a class of agents
• Incident response: revoke tokens matching a known compromised prefix
• Fleet maintenance: cycle tokens before a planned secret rotation

Request

POST /api/v1/admin/oauth/revoke-by-pattern
Authorization: Bearer <admin_key>
Content-Type: application/json

{
  "client_id_pattern": "shark_agent_v3.2_*",
  "reason": "Quarterly credential rotation"
}

Response — 200 OK

{
  "revoked_count":   12,
  "audit_event_id":  "audit_V1StGXR8_Z5jdHi6B-myT",
  "pattern_matched": "shark_agent_v3.2_*"
}

Error responses

Audit event

A row is written to the audit log with:

• action: oauth.bulk_revoke_pattern
• actor_type: admin
• status: success
• metadata: { "pattern": "...", "revoked_count": N, "reason": "..." }

GLOB pattern reference

Note: GLOB is case-sensitive in SQLite. Use * wildcards liberally to avoid accidentally matching zero tokens.

Effect on agents

Bulk-revoking tokens does not deactivate the agent (OAuth client). The agent can immediately re-issue new tokens via /oauth/token. To disable an agent permanently, use DELETE /api/v1/agents/{id}.

Related endpoints

• GET /api/v1/admin/oauth/consents — list all OAuth consents (tenant-wide)
• DELETE /api/v1/admin/oauth/consents/{id} — revoke a single consent
• DELETE /api/v1/agents/{id} — deactivate agent and revoke all its tokens