README.md

@@ -224,6 +224,40 @@ Write down the generated `client_token`.
 
 Lastly don't forget to create some key value pairs underneath `kv/rbacgroup_remco` that the token can access.
 
+#### Token lifecycle management
+
+Revoke an orphan token like so via Vault CLI client. See [Authenticate against Vault](#authenticate-against-vault) at the top for how to authenticate your Vault CLI client and then:
+```
+vault token revoke -accessor <token-accessor-here>.
+```
+
+Find all orphan tokens by their accessor like so. This requires `list` access to `auth/token/accessors`. Members of the `administrators` group outlined above have this.
+```
+vault list -format json auth/token/accessors |\
+    jq -r .[] |\
+    xargs -I '{}' vault token lookup -format json -accessor '{}' |\
+    jq -r 'select((.data.entity_id=="") and (.data.orphan==true) and (.data.path=="auth/token/create-orphan"))'
+```
+
+Output will for example look like:
+```
+{
+  "request_id": "170d8a93-7b61-9ec2-9df7-ad7a8ca0be88",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "accessor": "66IzIsoOpXycYqF33JmfIb8G",
+    ...
+    "entity_id": "",
+    ...
+  },
+  "warnings": null
+}
+```
+
+Where the `accessor` ID (here `66IzIsoOpXycYqF33JmfIb8G`) is what you're going to want to use in your CLI command `vault token revoke`.
+
 ## Clean-up
 
 If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.