From 2cfe0f2bd279bac45d42a5b7e522dd0a0dcd4e83 Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Fri, 9 Jan 2026 22:23:05 +0000
Subject: [PATCH] Update README with /auth/revoke-user documentation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 README.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5d5d2ee..545a212 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,8 @@ The server provides a web interface at the root URL:
 | `/recipe/{id}` | Recipe detail page |
 | `/media` | Browse cached media files |
 | `/auth` | Receive auth token from L2 |
-| `/auth/revoke` | Revoke a token (called by L2 on logout) |
+| `/auth/revoke` | Revoke a specific token |
+| `/auth/revoke-user` | Revoke all tokens for a user (called by L2 on logout) |
 | `/logout` | Log out |
 | `/download/client` | Download CLI client |
 
@@ -62,9 +63,11 @@ export L1_PUBLIC_URL=https://celery-artdag.rose-ash.com
 
 ### Token revocation
 
-When a user logs out of L2, L2 calls `/auth/revoke` on all attached L1s. L1 maintains a Redis-based revocation list:
+When a user logs out of L2, L2 calls `/auth/revoke-user` on all attached L1s. L1 maintains a Redis-based token tracking and revocation system:
 
-- Revoked tokens stored in Redis with 30-day expiry
+- Tokens registered per-user when authenticating (`artdag:user_tokens:{username}`)
+- `/auth/revoke-user` revokes all tokens for a username
+- Revoked token hashes stored in Redis with 30-day expiry
 - Every authenticated request checks the revocation list
 - Revoked tokens are immediately rejected