diff --git a/ykval-config.php b/ykval-config.php
index 2fbbc60..2a79534 100644
--- a/ykval-config.php
+++ b/ykval-config.php
@@ -11,10 +11,17 @@ $baseParams['__YKVAL_DB_PW__'] = 'password';
 $baseParams['__YKGAK_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
 $baseParams['__YKGAK_DB_NAME__'] = $baseParams['__YKVAL_DB_NAME__'];
 $baseParams['__YKGAK_DB_USER__'] = 'ykval_getapikey';
-$baseParams['__YKGAK_DB_PW__'] = 'password';
+$baseParams['__YKGAK_DB_PW__'] = 'secondpassword';
 $baseParams['__YKGAK_ID__'] = '';
 $baseParams['__YKGAK_KEY__'] = '';
 
+# For the revoke service.
+$baseParams['__YKR_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
+$baseParams['__YKR_DB_NAME__'] = $baseParams['__YKVAL_DB_NAME__'];
+$baseParams['__YKR_DB_USER__'] = 'ykval_revoke';
+$baseParams['__YKR_DB_PW__'] = 'thirdpassword';
+$baseParams['__YKR_IP__'] = '1.2.3.4';
+
 // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
 // CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
 // itself.
diff --git a/ykval-db.sql b/ykval-db.sql
index 5074a54..16b4b87 100644
--- a/ykval-db.sql
+++ b/ykval-db.sql
@@ -40,4 +40,11 @@ CREATE USER 'ykval_getapikey'@'localhost';
 GRANT SELECT(id),INSERT
 	ON ykval.clients to 'ykval_getapikey'@'localhost';
 
+-- DROP USER 'ykval_revoke'@'localhost';
+CREATE USER 'ykval_revoke'@'localhost';
+GRANT UPDATE(active)
+        ON ykval.yubikeys to 'ykval_revoke'@'localhost';
+GRANT SELECT(publicName)
+        ON ykval.yubikeys to 'ykval_revoke'@'localhost';
+
 FLUSH PRIVILEGES;
diff --git a/ykval-revoke.php b/ykval-revoke.php
new file mode 100644
index 0000000..eb96f88
--- /dev/null
+++ b/ykval-revoke.php
@@ -0,0 +1,51 @@
+<?php
+require_once 'ykval-common.php';
+require_once 'ykval-config.php';
+
+header("content-type: text/plain");
+
+debug("Request: " . $_SERVER['QUERY_STRING']);
+
+if ($baseParams['__YKR_IP__'] != $_SERVER["REMOTE_ADDR"]) {
+  logdie("ERROR Authorization failed");
+}
+
+# Connect to db
+$conn = mysql_connect($baseParams['__YKR_DB_HOST__'],
+                      $baseParams['__YKR_DB_USER__'],
+                      $baseParams['__YKR_DB_PW__'])
+  or die('Could not connect to database: ' . mysql_error());
+mysql_select_db($baseParams['__YKR_DB_NAME__'], $conn)
+or die('Could not select database');
+
+# Parse input
+$yk = $_REQUEST["yk"];
+$do = $_REQUEST["do"];
+if (!$yk) {
+  logdie("ERROR Missing parameter");
+}
+if ($do != "enable" && $do != "disable") {
+  logdie("ERROR Unknown do value: $do");
+}
+
+# Check if key exists
+$stmt = 'SELECT publicName FROM yubikeys WHERE publicName=' .
+  mysql_quote (modhex2b64($yk));
+$r = query($conn, $stmt);
+if (mysql_num_rows($r) != 1) {
+  logdie("ERROR Unknown yubikey $yk");
+}
+
+# Enable/Disable the yubikey
+$stmt = 'UPDATE yubikeys SET active = ' .
+  ($do == "enable" ? "TRUE" : "FALSE") .
+  ' WHERE publicName=' . mysql_quote (modhex2b64($yk));
+query($conn, $stmt);
+$rows = mysql_affected_rows();
+if ($rows != 1) {
+  logdie("ERROR Could not $do for $yk (rows $rows)");
+}
+
+# We are done
+logdie("OK Processed $yk with $do");
+?>