Revoke API key

POST 
/admin/api-keys/:id/revoke

Immediately disables an API key, preventing all future API requests using that key.

Use Cases:

• Respond to security incidents (compromised keys)
• Disable keys for terminated integrations or applications
• Implement key rotation workflows
• Emergency access revocation
• Compliance with security policies

What Happens:

• Key status changes to revoked or isActive=false
• All subsequent API requests with this key are rejected immediately
• Key remains in the system for audit purposes
• Revocation cannot be undone (create new key if needed)

Security Notes:

• Revocation takes effect immediately across all systems
• In-flight requests may complete before revocation propagates
• Revoked keys cannot be reactivated - must create new key
• Audit logs record revocation event with timestamp and user

Alternative: Deletion

• Revoke: Preserves key in system for audit history (recommended)
• Delete: Permanently removes key record (compliance scenarios)

warning

Revocation is immediate and irreversible. The key cannot be reactivated. Create a new key if access is needed again.

tip

Use revocation instead of deletion to maintain audit trails. Revoked keys preserve the history of when they were used.

info

After revocation, any application using this key will receive 401 Unauthorized errors. Update applications with new keys before revoking old ones.

Request

Responses

200

An API key for authentication

400

Standard error response format

401

Standard error response format

403

Standard error response format

404

Standard error response format

500

Standard error response format