Problem Statement

Currently, personal API tokens created by users in their profile settings can only be deleted by the token owner. This creates a security control gap where administrators have no ability to revoke a user’s API access in scenarios where immediate token revocation is necessary (e.g., compromised accounts, departing employees, security incidents, policy violations).

Current State

Service account tokens: RBAC controls exist for deletion

User profile tokens: Only the user can delete their own tokens

No admin override capability exists

Requested Functionality

Enable account administrators and authorized service accounts to delete user API tokens created at the user profile level.

Specific Requirements:

Admin users should be able to delete any regular user’s API tokens

Service accounts with appropriate account-level permissions should be able to delete regular user’s API tokens

Should maintain audit trail of token deletions (who deleted, when, which token)

Use Cases

Security Incident Response: Immediately revoke tokens for compromised accounts

Offboarding: Ensure complete access revocation when users leave

Compliance: Enforce token rotation policies

Policy Enforcement: Revoke tokens that violate security policies