[role="xpack"]
[[security-api-clear-service-token-caches]]
=== Clear service account token caches API

++++
<titleabbrev>Clear service account token caches</titleabbrev>
++++

Evicts a subset of all entries from the  <<service-accounts,service account>>
token caches.

[[security-api-clear-service-token-caches-request]]
==== {api-request-title}

`POST /_security/service/{namespace}/{service}/credential/token/{token_name}/_clear_cache`

[[security-api-clear-service-token-caches-prereqs]]
==== {api-prereq-title}

* To use this API, you must have at least the `manage_security`
<<privileges-list-cluster,cluster privilege>>.

[[security-api-clear-service-token-caches-desc]]
==== {api-description-title}
Two, separate caches exist for service account tokens: one cache for tokens
backed by the `service_tokens` file, and another for tokens backed by the
`.security` index. This API clears matching entries from both caches.

The cache for service account tokens backed by the `.security` index is cleared
automatically on state changes of the security index. The cache for tokens
backed by the `service_tokens` file is cleared automatically on file changes.

See <<service-accounts,Service accounts>> for more information.

[[security-api-clear-service-token-caches-path-params]]
==== {api-path-parms-title}

`namespace`::
(Required, string) Name of the namespace.

`service`::
(Required, string) Name of the service name.

`token_name`::
(Required, string) Comma-separated list of token names to evict from the
service account token caches. Use a wildcard (`*`) to evict all tokens that
belong to a service account. Does not support other wildcard patterns.

[[security-api-clear-service-token-caches-example]]
==== {api-examples-title}
The following request clears the service account token cache for the `token1`
token:

[source,console]
----
POST /_security/service/elastic/fleet-server/credential/token/token1/_clear_cache
----

Specify multiple token names as a comma-separated list:

[source,console]
----
POST /_security/service/elastic/fleet-server/credential/token/token1,token2/_clear_cache
----

To clear all entries from the service account token caches, use a wildcard
(`*`) in place of token names:

[source,console]
----
POST /_security/service/elastic/fleet-server/credential/token/*/_clear_cache
----