POST /v1/admin/org/{org_id}/force-revoke

Manual revoke for compromise response (master-key auth; admin-worker only).

What this is

Manual revocation initiated by the admin-dashboard. Sets active = 0 like the suspension paths but uses a distinct audit reason (ADMIN_ORG_FORCE_REVOKE) so post-incident review can distinguish “operator deliberately revoked” from “billing automation deactivated” from “manual ops suspension”. Reactivation is a manual step (no auto-reactivate-on-payment).

Phase 2.2.5 placeholder state: scoring-api returns 501 on auth-success until admin-dashboard plan PR ships. Auth gate active.

Authentication

X-API-Key: $MASTER_ADMIN_KEY_ORG_FORCE_REVOKE — admin-worker only.

Idempotency

Idempotency-Key required.

Rate limiting

Layer 1: enforced.
Layer 2: bypassed.

Request

curl -X POST https://api.cohesionauth.com/v1/admin/org/org_acme_2026_example/force-revoke \
  -H "X-API-Key: $MASTER_ADMIN_KEY_ORG_FORCE_REVOKE" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: example-force-revoke-key" \
  -d '{
    "confirm_org_id": "org_acme_2026_example",
    "idempotency_key": "example-force-revoke-key"
  }'

Response (post-implementation)

{
  "revoked": true,
  "org_id": "org_acme_2026_example",
  "revoked_at": "2026-05-03T05:00:00.000Z",
  "request_id": "req_01H...",
  "timestamp": "2026-05-03T05:00:00.000Z"
}

Errors

Status	Meaning
`401`	Master-key missing or wrong scope
`422`	`confirm_org_id` mismatches URL path
`501`	Handler pending admin-dashboard plan PR