Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tumban.com/llms.txt

Use this file to discover all available pages before exploring further.

Revoke an API key. Revoked keys are rejected with HTTP 401 on every subsequent request and cannot be reactivated. 
DELETE /api/v2/org/api-keys/{key_id}

Path parameters

key_id
string
required
The key_id from Create API key or List API keys.

Response

204 No Content on success. There is no response body.

Permissions

Revoking an API key requires a dashboard session — API-key auth (Authorization: Bearer sk_…) is not accepted on this endpoint. This prevents a leaked API key from being used to revoke every other key in the organization.
CallerScope
Dashboard session, role=adminMay revoke any key in the organization.
Dashboard session, role=memberMay revoke only keys they created themselves.
API key (sk_…)Rejected with 403.
When a member targets a key they did not create, Tumban responds 404 — the same status as a missing key — so the endpoint cannot be used to enumerate other users’ key_ids.

Example

curl -X DELETE https://api.tumban.com/api/v2/org/api-keys/key_a1b2c3d4e5f6a7b8 \
  -H "Authorization: Bearer <session-token>"

Errors

StatusDetail
403API key management requires a dashboard session. API keys cannot revoke API keys.
404API key not found or already revoked (also returned to a member targeting another user’s key).

Using the dashboard

1

Open API Keys

From the sidebar, click API Keys.
2

Click the trash icon

In the Active Keys table, click the trash icon (tooltip: “Revoke key”) on the row of the key you want to revoke. The row disappears immediately on success — there is no confirmation dialog.
The dashboard currently shows the trash icon on every key row, regardless of whether the signed-in member created the key. Server-side permission checks still apply: a member who tries to revoke another user’s key will receive a 404 from the API and the row will not be removed.