Revoke API key

Endpoint

Authentication

Send the API key on every request using one of the supported headers.

• Authorization: Bearer <apiKey>
• X-Api-Key: <apiKey>
• Xi-Api-Key: <apiKey>

Request

Provide the target scoped key id.

Body fields

curl -X POST "https://api.diffio.ai/v1/api_keys/revoke" \  -H "Authorization: Bearer $DIFFIO_AGENT_KEY" \  -H "Content-Type: application/json" \  -d '{    "keyId": "key_child_123"  }'

{  "keyId": "key_child_123"}

Response

Returns the revoked key metadata.

Response fields

{  "keyId": "key_child_123",  "label": "Dashboard browser key",  "status": "revoked",  "keyPrefix": "diffio_live_child",  "role": "scoped",  "scopes": ["projects:read", "generations:read"],  "resourceBounds": {},  "parentKeyId": "key_admin_123",  "createdAt": "2026-05-09T12:00:00Z",  "rotatedAt": null,  "revokedAt": "2026-05-09T12:45:00Z"}

Return codes

• 200Success, treated as complete.: Scoped API key revoked.
• 204Success, treated as empty response.: CORS preflight when method is OPTIONS.
• 400Bad request, treated as client error.: Invalid JSON body, or keyId is required.
• 401Unauthorized, treated as auth error.: Missing API key, or invalid API key.
• 403Forbidden, treated as permission error.: Privileged admin API key required, API key is not active, missing keys:write permission, or target key is an admin key.
• 404Not found, treated as missing resource.: API key not found.
• 405Client error, treated as fix required.: Method is not POST.
• 500Server error, treated as retryable.: Failed to revoke API key.

Notes

• Admin keys cannot be revoked through this public API endpoint.
• A revoked key returns an API key is not active error when used.
• The endpoint writes an audit log entry for successful revocation.