Skip to main content
DELETE
/
v1
/
api-keys
/
{prefix}
Revoke API key
curl --request DELETE \
  --url https://api.example.com/v1/api-keys/{prefix}
{
  "keyId": "<string>",
  "prefix": "<string>",
  "label": "<string>",
  "createdAt": {},
  "lastUsedAt": {},
  "revokedAt": {}
}
Dashboard JWT only. A leaked API key cannot revoke sibling keys (or itself).

Path parameters

prefix
string
required
The key identifier (same value as keyId / prefix shown in the list response).

Response — 200 OK

Echoes the revoked key’s metadata with revokedAt set to the revocation time.
keyId
string
prefix
string
label
string
createdAt
string (ISO 8601)
lastUsedAt
string (ISO 8601)
revokedAt
string (ISO 8601)

Example

curl "$API_BASE/api-keys/sb_live_Pq778jCf" -X DELETE \
  -H "Authorization: Bearer $COGNITO_JWT"
Response (200)
{
  "keyId": "sb_live_Pq778jCf",
  "prefix": "sb_live_Pq778jCf",
  "label": "production",
  "createdAt": "2026-04-21T...",
  "lastUsedAt": "2026-04-21T...",
  "revokedAt": "2026-04-21T..."
}

Notes

  • Immediate. Once the call returns, the next request carrying that secret is 403. No grace period.
  • Irreversible. Revocation cannot be undone — the revokedAt field is set once and never cleared. To re-enable access, mint a new key.
  • Scoped. You can only revoke keys belonging to your own business. Attempting to revoke another business’s key returns 404 (we don’t confirm existence).

Errors

CodeMeaning
401Missing Authorization header, or JWT expired / invalid
403Used an API key instead of a Cognito JWT
404Unknown prefix, or key belongs to another business