Revocation

A can be invalidated before it expires. When that happens, every JWT ever issued against that mandate becomes invalid regardless of the JWT’s own expiry. Revocation is the mechanism that closes the gap between “the user changed their mind” and “the user’s token expires.” A Stamped Mandate is carried on the wire as a PINT, so the status and revocation endpoints below operate on the underlying PINT (and its exp).

What triggers revocation

User revokes from the Sumvin app — for example, revoking consent for a previously-granted scope.
System revokes on policy violation — KYC regression, Safe compromise signal, anomalous activity.

Revocation applies at the mandate level, not at the individual JWT level. One revoked Stamped Mandate invalidates every JWT in circulation that was exchanged from it.

How a verifier checks

GET /v0/sis/pint/{pint_id}/status

The response carries the PINT’s current status. If the status is not active (for example, revoked), treat the inbound JWT as invalid regardless of its own exp.

When to check

Every verifier picks between two strategies:

Strategy	When to check	Trade-off
Always-check	Per request	Strictest; adds a round-trip to per request
Lazy-check	On cache miss or for sensitive actions only	Cheaper; narrows the window in which a revoked PINT can still be used

Lazy-check is common for read-only Standard-tier scopes. Always-check is the right choice for any Enhanced-tier action — the value of verifying the Safe signature is diluted if you don’t also check revocation.

Revocation

Revocation

What triggers revocation

How a verifier checks

When to check

See also

Referenced from

​Revocation

​What triggers revocation

​How a verifier checks

​When to check

​See also

​Referenced from

Revocation

What triggers revocation

How a verifier checks

When to check

See also

Referenced from