Revoke a grant | Atomicwork

Revoke an identity grant. Supports two modes depending on whether you want the identity provider to be notified:

Immediate revocation (default): With skip_deprovisioning=true (the default), the grant is marked as REVOKED immediately in Atomicwork. No action is taken in the identity provider — use this when you’ve already removed access externally or when the grant is informational only.

Full deprovisioning: With skip_deprovisioning=false, Atomicwork triggers the full deprovisioning workflow. Depending on the entitlement’s provisioning config, this may:

Remove the user from an Azure AD or Okta group
Remove a JumpCloud or Google Workspace assignment
Create a manual service request for IT to action

The response includes a revocation_status object with status (IN_PROGRESS, COMPLETED, or FAILED) and a schedule_id you can use to track the deprovisioning execution.

Optional fields:

reason — free-text reason for the revocation (recorded in grant history)

Revoke an identity grant. Supports two modes depending on whether you want the identity provider to be notified: **Immediate revocation (default):** With `skip_deprovisioning=true` (the default), the grant is marked as `REVOKED` immediately in Atomicwork. No action is taken in the identity provider — use this when you've already removed access externally or when the grant is informational only. **Full deprovisioning:** With `skip_deprovisioning=false`, Atomicwork triggers the full deprovisioning workflow. Depending on the entitlement's provisioning config, this may: - Remove the user from an Azure AD or Okta group - Remove a JumpCloud or Google Workspace assignment - Create a manual service request for IT to action The response includes a `revocation_status` object with `status` (IN_PROGRESS, COMPLETED, or FAILED) and a `schedule_id` you can use to track the deprovisioning execution. **Optional fields:** - `reason` — free-text reason for the revocation (recorded in grant history)

Authentication

X-Api-Keystring

API Key authentication via header

Path parameters

grant_idlongRequired

The grant ID to revoke

Headers

X-Workspace-IdstringOptional

Request

Request body for revoking a grant via the public API

reasonstringOptional

Optional reason for revoking the grant

skip_deprovisioningbooleanOptionalDefaults to true

When true (default), marks the grant as REVOKED immediately without triggering IDP deprovisioning. When false, triggers the full deprovisioning workflow (Azure AD/Okta group removal or service request creation).

Response

Successful response

Revoke an identity grant. Supports two modes depending on whether you want the identity provider to be notified:

Full deprovisioning: With skip_deprovisioning=false, Atomicwork triggers the full deprovisioning workflow. Depending on the entitlement’s provisioning config, this may:

Remove the user from an Azure AD or Okta group
Remove a JumpCloud or Google Workspace assignment
Create a manual service request for IT to action

The response includes a revocation_status object with status (IN_PROGRESS, COMPLETED, or FAILED) and a schedule_id you can use to track the deprovisioning execution.

Optional fields:

reason — free-text reason for the revocation (recorded in grant history)

$	curl -X POST https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke \
>	-H "X-Workspace-Id: {{workspace_id}}" \
>	-H "X-Api-Key: <apiKey>" \
>	-H "Content-Type: application/json" \
>	-d '{
>	"reason": "User left the company, immediate access removal required",
>	"skip_deprovisioning": false
>	}'