diff --git a/roles/badges/backend/files/revoke-authorization b/roles/badges/backend/files/revoke-authorization
new file mode 100644
index 0000000000..8d6a6f2ba7
--- /dev/null
+++ b/roles/badges/backend/files/revoke-authorization
@@ -0,0 +1,86 @@
+#!/usr/bin/env python
+"""
+This is a CLI script for revoking an authorization that a user has on a badge.
+"""
+
+import __main__
+__main__.__requires__ = __requires__ = ["tahrir-api", "sqlalchemy>=0.7"];
+import pkg_resources
+pkg_resources.require(__requires__)
+
+import argparse
+import transaction
+import sys
+
+from tahrir_api.dbapi import TahrirDatabase
+
+import fedmsg
+import fedmsg.config
+
+import fedbadges.utils
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(__doc__)
+    parser.add_argument('--user', default=None, help="A FAS username")
+    parser.add_argument('--badge', default=None, help="A badge id")
+    args = parser.parse_args()
+    if not args.user:
+        print "You must specify a FAS username."
+        sys.exit(1)
+    if not args.badge:
+        print "You must specify a badge id."
+        sys.exit(1)
+    return args
+
+
+def initialize():
+    fm_config = fedmsg.config.load_config()
+    fm_config['cert_prefix'] = 'fedbadges'
+    fm_config['name'] = 'relay_inbound'
+    fm_config['active'] = True
+    fedmsg.init(**fm_config)
+    uri = fm_config['badges_global']['database_uri']
+    tahrir = TahrirDatabase(
+        uri,
+        notification_callback=fedbadges.utils.notification_callback,
+    )
+    return tahrir
+
+
+def main(tahrir, nickname, badge_id):
+    person = tahrir.get_person(nickname=nickname)
+    badge = tahrir.get_badge(badge_id)
+
+    if not person:
+        print "No such person %r" % nickname
+        sys.exit(1)
+
+    if not badge:
+        print "No such badge %r" % badge_id
+        sys.exit(1)
+
+    authz = tahrir.session.query(tahrir.model.Authorization)\
+        .filter_by(tahrir.model.Authorization.badge_id=badge.id)\
+        .filter_by(tahrir.model.Authorization.person_id=person.id)\
+        .all()
+
+    if not authz:
+        print "%r does not have authz on %r badge..." % (nickname, badge_id)
+        return
+
+    print "removing", person.nickname, "from authz on %r." % badge_id
+    try:
+        transaction.begin()
+        for item in authz:
+            tahrir.session.remove(item)
+        transaction.commit()
+    except Exception as e:
+        transaction.abort()
+        print "Failure:", e
+
+
+if __name__ == '__main__':
+    args = parse_args()
+    tahrir = initialize()
+    main(tahrir, args.user, args.badge)
diff --git a/roles/badges/backend/tasks/main.yml b/roles/badges/backend/tasks/main.yml
index bfa0160c3f..6775ef3c03 100644
--- a/roles/badges/backend/tasks/main.yml
+++ b/roles/badges/backend/tasks/main.yml
@@ -161,6 +161,7 @@
   - award-badge
   - revoke-badge
   - grant-authorization
+  - revoke-authorization
   - get-badges-person-id
   tags:
   - scripts