Delete User API Key
DELETE/company/apikey/:tempCode
Permanently delete an API Key created by the authenticated user, revoking the programmatic access associated with that credential.
Objective
Allow users to revoke their own API Keys when they are no longer needed or when they are suspected to have been compromised.
Use Cases
- Revoke access from a discontinued integration
- Delete a compromised or accidentally leaked key
- Rotate credentials by deleting the old one and creating a new one
- Clean up test keys that are no longer used
Operation Flow
flowchart TD
A[Receive DELETE Request] --> B{User Authenticated?}
B -->|No| C[401 Unauthorized]
B -->|Yes| D{User Exists?}
D -->|No| E[404 USER_NOT_FOUND]
D -->|Yes| F{temp_code Provided?}
F -->|No| G[400 TEMP_CODE_NOT_PROVIDED]
F -->|Yes| H{API Key Exists?}
H -->|No| I[404 APIKEY_NOT_FOUND]
H -->|Yes| J{Key Belongs to User?}
J -->|No| K[401 CANT_DELETE]
J -->|Yes| L[Soft Delete Key]
L --> M[200 APIKEY_DELETED]
Important Considerations
- Only keys belonging to the user can be deleted
- Use the temp_code (not the actual key) to identify the API Key
- Deletion is soft delete (mongoose-delete plugin)
- The deleted key will not appear in future listings
- Deletion cannot be undone via the public API
temp_code Format
- Alphanumeric string of approximately 25 characters
- Example:
2c3srejxqa176128918935tzv - Obtained from GET /company/apikey/ or when creating the key
Security Notes
- Verify that all integrations using the key are updated before deleting it
- Consider creating a new key before deleting the old one to avoid downtime
Request
Responses
- 200
- 400
- 401
- 404
API Key successfully deleted
Response Headers
temp_code not provided
Unauthenticated or attempt to delete another user's key
Response Headers
API Key not found