POST /v1/admin/key/revoke

Self-serve key revocation. Terminal until support reactivates the org.

What this is

Sets organizations.active = 0. Every future request returns 401 until support reactivates. The revocation is recorded in audit_log as KEY_REVOKED.

When to use

Confirmed key leak, compromised build machine, departing employee with admin access.

Request

curl -X POST https://api.cohesionauth.com/v1/admin/key/revoke \
  -H "X-API-Key: $COMPROMISED_COHESION_API_KEY"

Python

client.admin.revoke_key()

TypeScript

await client.admin.revokeKey();

Response

{
  "revoked": true,
  "org_id": "org_...",
  "revoked_at": "2026-04-22T18:22:10.432Z",
  "request_id": "req_01H...",
  "timestamp": "2026-04-22T18:22:10.432Z"
}

Recovery

Contact [email protected] to reactivate. An out-of-band identity check is required. If you cannot self-serve, the emergency-revoke runbook lives in scripts/peyton-runbook-2026-04-17.md Section H.7.

Errors

Status	Meaning
`401`	Key already invalid

Next step

After reactivation, rotate immediately via POST /v1/admin/key/rotate.