Skip to main content
DELETE
Revoke Developer Key
Revoke an active developer key to immediately prevent its use for API authentication. This action is permanent and cannot be undone - revoked keys cannot be reactivated.
You cannot revoke the developer key you’re currently using for authentication. Use a different active key to revoke others. Always ensure you have at least one active key before revoking.

Authentication

Requires valid JWT token with developer role and an active developer key (different from the one being revoked).

Headers

Authorization
string
required
Bearer JWT access token obtained from login
X-User-Role
string
required
Must be set to developer
X-Developer-Key
string
required
Active developer key for authentication (must be different from the key being revoked)

Path Parameters

key_id
string
required
UUID of the developer key to revoke. Obtain this from the List Developer Keys endpoint.

Response

Returns 204 No Content on successful revocation. No response body is returned.

Example Request

Example Response

No response body is returned for successful revocations.

Use Cases

Revoke Compromised Keys

Immediately deactivate keys that may have been exposed:

Clean Up Unused Keys

Remove keys that haven’t been used recently:

Offboard Team Members

Revoke keys when team members leave:

Key Rotation with Graceful Cutover

Revoke old keys after new ones are deployed:

Security Considerations

Revocation takes effect immediately. Any in-flight API requests using the revoked key will fail with a 403 Forbidden error.

When to Revoke Keys

  1. Compromised Keys: Immediately revoke if a key is exposed in code repositories, logs, or insecure channels
  2. Employee Offboarding: Revoke all keys assigned to departing team members on their last day
  3. Rotation Schedule: Revoke old keys after rotating to new ones (90-day rotation recommended)
  4. Unused Keys: Revoke keys that haven’t been used in 90+ days
  5. Environment Decommission: Revoke keys when shutting down environments (e.g., old staging environments)
  6. Security Incidents: Revoke all keys during security incident response

Best Practices

  1. Maintain Backup Key: Always keep at least 2 active keys to avoid locking yourself out
  2. Document Revocations: Log all key revocations with reasons and timestamps
  3. Verify Before Revoking: Ensure services using the key have been migrated to new keys
  4. Immediate Action: Don’t delay revocation of compromised keys
  5. Communicate Changes: Notify team members before revoking shared environment keys

Error Responses

Key Already Revoked (400)

The key has already been revoked or was never active.

Unauthorized (401)

Invalid or missing JWT token.

Forbidden (403)

Attempting to revoke a key that belongs to a different developer account, or using an invalid/revoked developer key for authentication.

Cannot Revoke Active Key (403)

Attempting to revoke the same key being used in the X-Developer-Key header.

Key Not Found (404)

The specified key_id does not exist or was deleted.

Invalid UUID Format (422)

The key_id parameter is not a valid UUID format.

Revocation Effects

After revocation, the key:
  • ✅ Immediately stops authenticating API requests
  • ✅ Disappears from the List Developer Keys endpoint
  • ✅ Returns 403 Forbidden when used in API requests
  • ✅ Cannot be reactivated or restored
  • ✅ Frees up one slot toward the 10-key limit
(((REPLACE_THIS_WITH_IMAGE: developer-key-revoked-confirmation.png: Success message after revoking developer key with key prefix shown and warning that it cannot be undone)))

List Developer Keys

View all active keys to find key IDs

Create Developer Key

Generate replacement keys after revocation

Revoke via Cloud Admin

Revoke keys using web interface

Security Practices

Key rotation and incident response

Authorizations

Authorization
string
header
required

The access token received from the authorization server in the OAuth 2.0 flow.

Path Parameters

key_id
string<uuid>
required

Response

Successful Response