---
title: Revoke a stale agent enrollment
description: Deprecate a stale agent enrollment with argusctl agent revoke so it can no longer authenticate.
---

# Revoke a stale agent enrollment



## Goal

Permanently deprecate a stale or unwanted agent enrollment so that the agent's identity can no longer be used.

## When to use it

* The enrollment is stale: the machine was retired, reinstalled, or replaced, and the registered agent identity should not linger in the fleet.
* You are cleaning up enrollments that no longer correspond to a real, current install.

Revocation operates on the agent's enrollment (its identity in the registry), not on a session. To end a live session, use deactivate, the agent-side kill switch, or [disarm the tenant](/docs/remote-support/arm-disarm). To take a whole tenant out of remote support, disarm it.

## What it does

Each enrolled agent authenticates with a per-agent passkey bound at enrollment to one tenant and one agent ID. Revocation is per-agent: a revoked agent's next dial fails authentication, and a live socket is force-closed by the revocation watcher. There is no un-revoke; the machine would need to re-enroll as a new agent to come back.

## Prerequisites

* The full **3-factor operator gate** (same tier as `agent activate`): caller IP in `REMOTE_SUPPORT_OPERATOR_CIDRS`, the `X-Argus-Ops-Token` second factor, and a PAT with the `remote_support` scope, with `REMOTE_SUPPORT_ENABLED` on.
* The agent ID and tenant ID (`argusctl agent ls --tenant <tenant>`).
* A reason for the audit trail.

## Steps: argusctl

```bash
# 1. Confirm you have the right agent
argusctl agent ls --tenant UTD_7ELEVEN_001

# 2. Revoke (destructive: --yes is required)
argusctl agent revoke agent_macpro_lobby_01 --tenant UTD_7ELEVEN_001 \
  --reason "stale enrollment" --yes
```

Like every write, `revoke` supports `--dry-run` to preview the exact request without sending it (header values redacted). The `--yes` flag is required because the action is destructive.

## Verify

```bash
argusctl agent ls --tenant UTD_7ELEVEN_001    # the agent should no longer appear as enrolled/online
argusctl agent fleet                           # cross-tenant roll-up
```

The revocation is written to the audit trail like every operator action.

## Troubleshooting

| Symptom                         | Meaning                                                                                                                                                          |
| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Command refuses without `--yes` | Expected: revoke is destructive and requires explicit confirmation.                                                                                              |
| 403                             | One of the three gate factors failed (IP, ops token, or PAT scope).                                                                                              |
| Agent reappears later           | A machine can re-enroll as a new agent through the normal consent-gated enrollment path; revocation removes the old identity, it does not blocklist the machine. |


---

For a semantic overview of all documentation, see [/sitemap.md](/sitemap.md)

For an index of all available documentation, see [/llms.txt](/llms.txt)

For agent-facing discovery, including API and MCP surfaces, see [/agents.md](/agents.md)