append-revoke
Append a relationship.revoke event to the event feed.
Append a relationship.revoke event to the event feed. This terminates an existing relationship between an issuer and a subject.
Usage
ak append-revoke [FLAGS]Flags
| Flag | Required | Default | Description |
|---|---|---|---|
--events-path <PATH> | Yes | — | Path to the events.jsonl file. |
--issuer <DID> | Yes | — | Issuer DID (e.g., did:web:example.com). |
--event-id <ID> | Yes | — | Unique event identifier. |
--relationship-id <ID> | Yes | — | Relationship identifier to revoke. |
--subject <DID> | Yes | — | Subject DID. |
--reason-code <CODE> | Yes | — | Reason for revocation (see table below). |
--issued-at <TIMESTAMP> | Yes | — | RFC 3339 UTC timestamp. |
--effective-at <TIMESTAMP> | Yes | — | When the revocation takes effect (RFC 3339 UTC). |
--kid <KID> | Yes | — | Key ID used for signing the event. |
--seed-hex <HEX> | Yes | — | Hex seed for the signing key. |
Reason Codes
| Code | Description |
|---|---|
employment_ended | Employment relationship terminated. |
contract_ended | Contract expired or was terminated. |
permission_revoked | Specific permissions withdrawn. |
superseded | Replaced by a newer relationship event. |
admin_action | Administrative decision. |
error_correction | Correcting a previously issued event. |
other | Any reason not covered above. |
Example
ak append-revoke \
--events-path ./issuer-root/.well-known/sig/events.jsonl \
--issuer did:web:example.com \
--event-id evt-002 \
--relationship-id rel-alice-eng \
--subject did:web:alice.example.com \
--reason-code employment_ended \
--issued-at 2025-06-01T00:00:00Z \
--effective-at 2025-06-15T00:00:00Z \
--kid orgsign-1 \
--seed-hex 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1fOutput:
Appended relationship.revoke event evt-002 (seq=2)
Relationship: rel-alice-eng
Subject: did:web:alice.example.com
Reason: employment_ended
Effective at: 2025-06-15T00:00:00ZNotes
- The
--effective-attimestamp determines when the revocation takes effect. This can be in the future to schedule a revocation, or in the past to backdate one. - A revocation does not delete the relationship history. The upsert events remain in the feed for auditability.
- Revoking a relationship that does not exist (no prior upsert with the given relationship ID) will still append the event, but it will have no effect on derived state.