Delete API Key
POST
/web/v1/workspaces/{workspaceId}/api-keys/deleteJWTPermanently deletes (soft-delete) an API key. Deleted keys cannot be recovered or re-enabled.
Authentication
Auth Chain: WEB Chain — requires
Authorization: Bearer <jwt>Requires workspace OWNER role. These headers are injected by the system (frontend does nothing):X-PORTAL-ACCESS-CODE(Nginx),X-Request-Id(Gateway)
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
workspaceId | string | Yes | path | Workspace business ID |
keyId | string | Yes | body | Business ID of the API key to delete |
Success Response
No Content204
"{null}"Error Responses
Unauthorized401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Forbidden — not workspace owner403
{
"success": false,
"code": "4030",
"message": "Only workspace owner can manage API keys"
}Notes
- This is a soft-delete operation; the key record is marked as deleted but not physically removed.
- Deleted keys can no longer authenticate API requests and cannot be re-enabled.
- Only workspace OWNERs can delete API keys.