Rotation replaces an old refresh token with a new one and can expose replay attempts, while revocation ends the credential’s ability to issue any new tokens. Rotation helps with detection and hygiene, but revocation is what contains compromise. Organisations need both, plus family-wide invalidation when theft is suspected.
Why This Matters for Security Teams
Token rotation and token revocation are easy to conflate, but they solve different operational problems. Rotation is a hygiene control: it narrows the window in which a stolen refresh token can be reused and may reveal replay attempts. Revocation is a containment control: it removes the token’s ability to mint anything new. That distinction matters because exposed NHI credentials are often not discovered in neatly managed vaults. In the wild, 44% of NHI tokens are exposed across Teams, Jira, Confluence, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
Security teams also need to think beyond the token itself. If a refresh token is duplicated into tickets, logs, or chat, rotation alone may not be enough to stop abuse. That is why current guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s Guide to the Secret Sprawl Challenge consistently frames lifecycle control as a broader discipline, not a single action. In practice, many security teams encounter token reuse only after access logs show suspicious activity, rather than through intentional detection and response design.
How It Works in Practice
Rotation and revocation should be treated as complementary steps in a credential lifecycle. Rotation replaces the current refresh token with a new one and invalidates the predecessor, which helps expose replay. Revocation closes the door entirely, preventing the token family from issuing new access tokens. For managed NHI estates, this usually means pairing short token TTLs with event-driven revocation when a compromise indicator appears. NHIMG’s NHI Lifecycle Management Guide is the better mental model than thinking about isolated secrets.
- Use rotation for routine hygiene, especially where refresh tokens are long-lived and exposed to automation.
- Use revocation when there is credible suspicion of theft, offboarding, or misuse.
- Invalidate the whole token family if the issuer cannot prove which copy was stolen.
- Combine revocation with downstream session termination where the access token may still be active.
The key implementation issue is propagation. If the identity provider revokes a refresh token but downstream services continue trusting previously issued access tokens, the blast radius remains open until expiry. That is why practitioners often pair this with policy enforcement and short-lived credentials, a pattern reinforced by the OWASP Non-Human Identity Top 10 and NHIMG’s Guide to NHI Rotation Challenges. The GitGuardian data in The State of Secrets Sprawl 2026 is blunt on why this matters: 64% of valid secrets leaked in 2022 are still valid and exploitable today, which shows detection without automated revocation leaves real exposure in place. These controls tend to break down when legacy systems cannot invalidate issued tokens centrally because each application maintains its own session state.
Common Variations and Edge Cases
Tighter revocation logic often increases operational overhead, requiring organisations to balance rapid containment against service availability. That tradeoff is especially visible in integrations where one token supports multiple applications, because a single revocation event can interrupt legitimate automation as well as malicious activity. Best practice is evolving here: some teams prefer family-wide invalidation, while others scope revocation more narrowly when telemetry is strong enough to distinguish which credential was abused.
Edge cases usually appear in overused or duplicated NHIs. If one token is shared across several workloads, revocation can create a wider outage than expected, while rotation may fail to fully contain a leak because a second copy remains active. NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful here because static credentials need stronger lifecycle discipline than dynamic ones. For organisations still maturing their controls, Top 10 NHI Issues helps frame why revocation, rotation, and secret discovery have to work together. In practice, teams get into trouble when they assume the token store is the only source of truth, but the real problem is duplicated credentials across chat, tickets, code, and runners.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers token lifecycle hygiene, including rotation and revocation. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access depends on timely invalidation of compromised credentials. |
| NIST AI RMF | Governance requires accountable lifecycle controls for autonomous credential use. |
Define ownership and incident triggers for rotation and revocation decisions across automated systems.
