2 files changed, 14 insertions, 0 deletions

diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 4b09f2c4..8990d156 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -975,6 +975,19 @@ example::
     $ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
 
 
+
+Removing Expired Tokens
+===========================================================
+
+In the SQL and KVS token stores expired tokens are not automatically
+removed. These tokens can be removed with::
+
+    $ keystone-manage token_flush
+
+The memcache backend automatically discards expired tokens and so flushing
+is unnecessary and if attempted will fail with a NotImplemented error.
+
+
 Configuring the LDAP Identity Provider
 ===========================================================
 
diff --git a/doc/source/man/keystone-manage.rst b/doc/source/man/keystone-manage.rst
index b7c2131c..84a3ec9f 100644
--- a/doc/source/man/keystone-manage.rst
+++ b/doc/source/man/keystone-manage.rst
@@ -49,6 +49,7 @@ Available commands:
 * ``import_nova_auth``: Import a dump of nova auth data into keystone.
 * ``pki_setup``: Initialize the certificates used to sign tokens.
 * ``ssl_setup``: Generate certificates for SSL.
+* ``token_flush``: Purge expired tokens.
 
 
 OPTIONS