Skip to main content
DELETE

Endpoint

Dashboard-only endpoint. Called from the WiseYield UI with browser cookies (Clerk session). Not callable from a server-to-server integration today. Revoke keys from Settings → API Keys in the dashboard.

Authentication

Requires a signed-in WiseYield session. The Bearer examples below show the response wire format but are not directly callable outside the browser session.

Path Parameters

key_id
string
required
Unique identifier of the API key to revoke (format: key_{nanoid})

Response

Returns success confirmation.
success
boolean
Always true on successful revocation
message
string
Success message: “API key revoked successfully”

Errors

401
error
Unauthorized - User not signed in
404
error
Not Found - API key not found, already revoked, or belongs to different user
500
error
Internal Server Error - Failed to revoke API key

How It Works

Revocation Flow:
  1. Authentication: Verifies user is signed in
  2. Ownership Check: Finds API key where:
    • id matches provided key_id
    • userId matches authenticated user
    • revokedAt is null (not already revoked)
  3. Soft Delete: Updates API key:
    • revokedAt: null → current timestamp
    • isActive: truefalse
    • updatedAt: current timestamp
  4. Audit Log: Records revocation for security tracking
  5. Immediate Effect: Key becomes invalid for all API requests
Why Soft Delete?: Maintains audit trail while preventing further use. Revoked keys stay in database for historical tracking but can never be reactivated. Post-Revocation:
  • Key will not authenticate any API requests
  • Key excluded from list endpoints (filters by revokedAt IS NULL)
  • Cannot be restored (must create new key)
  • Historical usage data preserved

Security Implications

Immediate Access Revocation

What Happens Instantly:
  • ✅ All active API requests using this key will fail with 401 Unauthorized
  • ✅ Key removed from active keys list
  • ✅ Rate limit tracking stops
  • ✅ Usage tracking stops
What’s Preserved:
  • ✅ Historical usage data (usageCount, lastUsedAt)
  • ✅ Audit logs showing when key was created and revoked
  • ✅ Metadata and configuration

Impact on Applications

Applications Using Revoked Key:
Recommended Actions:
  1. Update application with new API key
  2. Monitor error logs for failed requests
  3. Notify team members using the key

Use Cases

Revoke Compromised Key

Revoke Unused Keys

Revoke Expired Keys

Rotate API Key

Bulk Revoke Test Keys

Best Practices

Confirm Before Revoke: Always show confirmation dialog before revoking keys.
Create Before Revoke: When rotating, create new key and test it before revoking the old one.
Monitor Usage: Check lastUsedAt to identify safe-to-revoke keys.
Audit Regularly: Review and revoke unused keys quarterly.
Immediate Revocation: Key becomes invalid instantly. All apps using it will lose access.
Cannot Undo: Revocation is permanent. Must create new key to restore access.
No Grace Period: There is no transition period. Applications will fail immediately.

Integration Examples

Revoke Button with Confirmation

API Keys Management Table

Cleanup Unused Keys Alert