401 on every
subsequent request and cannot be reactivated.
This endpoint uses the HTTP
DELETE method on the bare key
resource. There is no POST /api/v2/org/api-keys/{key_id}/revoke
variant — that path will return 404. The canonical path is exactly
DELETE /api/v2/org/api-keys/{key_id}.Path parameters
The
key_id from Create API key or
List API keys.Response
204 No Content on success. There is no response body.
Permissions
Revoke is not admin-only. Both admins and members can call it from a dashboard session, but with different scope. API-key auth is rejected in every case — this prevents a leaked API key from being used to revoke every other key in the organization.| Caller | Allowed to revoke |
|---|---|
Dashboard session, role=admin | Any key in the organization. |
Dashboard session, role=member | Only keys the member created themselves. |
API key (sk_…) | None — always 403. |
404
— the same status as a missing key — so the endpoint cannot be used to
enumerate other users’ key_ids.
Example
Errors
| Status | Detail |
|---|---|
| 403 | API key management requires a dashboard session. API keys cannot revoke API keys. |
| 404 | API key not found or already revoked (also returned to a member targeting another user’s key). |
Using the dashboard
The dashboard currently shows the trash icon on every key row,
regardless of whether the signed-in member created the key.
Server-side permission checks still apply: a member who tries to
revoke another user’s key will receive a
404 from the API and the
row will not be removed.