diff --git a/.woodpecker/release-tag.yaml b/.woodpecker/release-tag.yaml
index cd3b659..2da2bde 100644
--- a/.woodpecker/release-tag.yaml
+++ b/.woodpecker/release-tag.yaml
@@ -61,3 +61,10 @@ steps:
       - git tag -a "$TAG" -m "Automated release for Tailscale $TS"
       - git push "https://woodpecker:$GIT_TOKEN@gitea.lumpiasty.xyz/lumpiasty/mikrotik-tailscale.git" "$TAG"
       - echo "Pushed $TAG"
+  - name: Invalidate OpenBao token
+    image: quay.io/openbao/openbao:2.5.4
+    environment:
+      VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
+    commands:
+      - export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
+      - bao write -f auth/token/revoke-self
diff --git a/.woodpecker/release.yaml b/.woodpecker/release.yaml
index 2ca58e4..5a0b0a3 100644
--- a/.woodpecker/release.yaml
+++ b/.woodpecker/release.yaml
@@ -56,3 +56,10 @@ steps:
         - OCI_VERSION=${CI_COMMIT_TAG}
       # Credentials (PLUGIN_USERNAME / PLUGIN_PASSWORD) come from OpenBao.
       env_file: /woodpecker/registry.env
+  - name: Invalidate OpenBao token
+    image: quay.io/openbao/openbao:2.5.4
+    environment:
+      VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
+    commands:
+      - export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
+      - bao write -f auth/token/revoke-self