Revoke API Key

Revokes an API key. The key stops authenticating immediately — the next request using it returns 401 key_revoked. The row itself stays in the database for 30 days (soft-delete) so the audit trail and lifecycle events survive; after 30 days a cleanup job hard-deletes it.

Requires the X-Confirm-Destructive: true header. Without it, returns 400 confirmation_required — an accidental DELETE from a misfiring script won't take effect.

curl -X DELETE https://api.cueapi.ai/v1/auth/keys/6e8fc3a0-7a12-4f8a-b8b6-9c5e1d2a3b4c \
  -H "Authorization: Bearer cue_sk_YOUR_KEY" \
  -H "X-Confirm-Destructive: true"

{
  "id": "6e8fc3a0-7a12-4f8a-b8b6-9c5e1d2a3b4c",
  "revoked_at": "2026-04-18T05:45:22Z"
}

Idempotency

Revoking an already-revoked key is a no-op — returns 200 with the existing revoked_at timestamp. Safe to retry from client code.

Errors

Post-revocation behavior

• The next request using the revoked key returns 401 { "code": "key_revoked" }.
• Redis auth cache is invalidated synchronously on revocation — no stale-cache window up to the 5-minute TTL.
• The row remains in api_keys with revoked_at set for 30 days so GET /v1/auth/keys still shows it. It's also kept queryable so api_key_audit_log rows referring to it don't orphan.
• After 30 days, a cleanup job hard-deletes the row and writes a final api_key_audit_log entry with event_type="hard_deleted".

Rotate-without-downtime pattern

1. POST /v1/auth/keys with a new label — capture the new plaintext.
2. Update every consumer (MCP host, CLI, worker, CI pipeline, scripts) to use the new key.
3. Wait long enough to be confident no consumer still has the old plaintext in memory.
4. DELETE /v1/auth/keys/{old_id} — zero downtime; old consumers get key_revoked, which is the signal to roll forward.