> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://developer-test.atomicwork.com/llms.txt.
> For full documentation content, see https://developer-test.atomicwork.com/llms-full.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://developer-test.atomicwork.com/_mcp/server.

# Revoke a grant

POST https://{tenant}.atomicwork.com/api/v1/iga/grants/{grant_id}/revoke
Content-Type: application/json

Revoke an identity grant. Supports two modes depending on whether you want the identity provider to be notified:

**Immediate revocation (default):** With `skip_deprovisioning=true` (the default), the grant is marked as `REVOKED` immediately in Atomicwork. No action is taken in the identity provider — use this when you've already removed access externally or when the grant is informational only.

**Full deprovisioning:** With `skip_deprovisioning=false`, Atomicwork triggers the full deprovisioning workflow. Depending on the entitlement's provisioning config, this may:
- Remove the user from an Azure AD or Okta group
- Remove a JumpCloud or Google Workspace assignment
- Create a manual service request for IT to action

The response includes a `revocation_status` object with `status` (IN_PROGRESS, COMPLETED, or FAILED) and a `schedule_id` you can use to track the deprovisioning execution.

**Optional fields:**
- `reason` — free-text reason for the revocation (recorded in grant history)


Reference: https://developer-test.atomicwork.com/atomicwork-public-api/access-management/postapi-v-1-iga-grants-grant-id-revoke

## OpenAPI Specification

```yaml
openapi: 3.1.0
info:
  title: collection
  version: 1.0.0
paths:
  /api/v1/iga/grants/{grant_id}/revoke:
    post:
      operationId: postapi-v-1-iga-grants-grant-id-revoke
      summary: Revoke a grant
      description: >
        Revoke an identity grant. Supports two modes depending on whether you
        want the identity provider to be notified:


        **Immediate revocation (default):** With `skip_deprovisioning=true` (the
        default), the grant is marked as `REVOKED` immediately in Atomicwork. No
        action is taken in the identity provider — use this when you've already
        removed access externally or when the grant is informational only.


        **Full deprovisioning:** With `skip_deprovisioning=false`, Atomicwork
        triggers the full deprovisioning workflow. Depending on the
        entitlement's provisioning config, this may:

        - Remove the user from an Azure AD or Okta group

        - Remove a JumpCloud or Google Workspace assignment

        - Create a manual service request for IT to action


        The response includes a `revocation_status` object with `status`
        (IN_PROGRESS, COMPLETED, or FAILED) and a `schedule_id` you can use to
        track the deprovisioning execution.


        **Optional fields:**

        - `reason` — free-text reason for the revocation (recorded in grant
        history)
      tags:
        - subpackage_accessManagement
      parameters:
        - name: grant_id
          in: path
          description: The grant ID to revoke
          required: true
          schema:
            type: integer
            format: int64
        - name: X-Api-Key
          in: header
          required: true
          schema:
            type: string
        - name: X-Workspace-Id
          in: header
          required: false
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/Access
                  Management_postapi_v1_iga_grants__grant_id__revoke_Response_200
      requestBody:
        description: Request body for revoking a grant via the public API
        content:
          application/json:
            schema:
              type: object
              properties:
                reason:
                  type: string
                  description: Optional reason for revoking the grant
                skip_deprovisioning:
                  type: boolean
                  default: true
                  description: >
                    When true (default), marks the grant as REVOKED immediately
                    without triggering IDP deprovisioning. When false, triggers
                    the full deprovisioning workflow (Azure AD/Okta group
                    removal or service request creation).
servers:
  - url: https://{tenant}.atomicwork.com
components:
  schemas:
    Access Management_postapi_v1_iga_grants__grant_id__revoke_Response_200:
      type: object
      properties: {}
      description: Empty response body
      title: Access Management_postapi_v1_iga_grants__grant_id__revoke_Response_200
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-Api-Key

```

## SDK Code Examples

```python
import requests

url = "https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke"

payload = {
    "reason": "User left the company, immediate access removal required",
    "skip_deprovisioning": False
}
headers = {
    "X-Workspace-Id": "{{workspace_id}}",
    "X-Api-Key": "<apiKey>",
    "Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)

print(response.json())
```

```javascript
const url = 'https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke';
const options = {
  method: 'POST',
  headers: {
    'X-Workspace-Id': '{{workspace_id}}',
    'X-Api-Key': '<apiKey>',
    'Content-Type': 'application/json'
  },
  body: '{"reason":"User left the company, immediate access removal required","skip_deprovisioning":false}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}
```

```go
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io"
)

func main() {

	url := "https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke"

	payload := strings.NewReader("{\n  \"reason\": \"User left the company, immediate access removal required\",\n  \"skip_deprovisioning\": false\n}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("X-Workspace-Id", "{{workspace_id}}")
	req.Header.Add("X-Api-Key", "<apiKey>")
	req.Header.Add("Content-Type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := io.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
```

```ruby
require 'uri'
require 'net/http'

url = URI("https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["X-Workspace-Id"] = '{{workspace_id}}'
request["X-Api-Key"] = '<apiKey>'
request["Content-Type"] = 'application/json'
request.body = "{\n  \"reason\": \"User left the company, immediate access removal required\",\n  \"skip_deprovisioning\": false\n}"

response = http.request(request)
puts response.read_body
```

```java
import com.mashape.unirest.http.HttpResponse;
import com.mashape.unirest.http.Unirest;

HttpResponse<String> response = Unirest.post("https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke")
  .header("X-Workspace-Id", "{{workspace_id}}")
  .header("X-Api-Key", "<apiKey>")
  .header("Content-Type", "application/json")
  .body("{\n  \"reason\": \"User left the company, immediate access removal required\",\n  \"skip_deprovisioning\": false\n}")
  .asString();
```

```php
<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke', [
  'body' => '{
  "reason": "User left the company, immediate access removal required",
  "skip_deprovisioning": false
}',
  'headers' => [
    'Content-Type' => 'application/json',
    'X-Api-Key' => '<apiKey>',
    'X-Workspace-Id' => '{{workspace_id}}',
  ],
]);

echo $response->getBody();
```

```csharp
using RestSharp;

var client = new RestClient("https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke");
var request = new RestRequest(Method.POST);
request.AddHeader("X-Workspace-Id", "{{workspace_id}}");
request.AddHeader("X-Api-Key", "<apiKey>");
request.AddHeader("Content-Type", "application/json");
request.AddParameter("application/json", "{\n  \"reason\": \"User left the company, immediate access removal required\",\n  \"skip_deprovisioning\": false\n}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```

```swift
import Foundation

let headers = [
  "X-Workspace-Id": "{{workspace_id}}",
  "X-Api-Key": "<apiKey>",
  "Content-Type": "application/json"
]
let parameters = [
  "reason": "User left the company, immediate access removal required",
  "skip_deprovisioning": false
] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://{tenant}.atomicwork.com/api/v1/iga/grants/1/revoke")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error as Any)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()
```