POST /v1/admin/org/{org_id}/suspend

Manual admin-dashboard suspension (master-key auth; admin-worker only).

What this is

Manual suspension via the admin-dashboard (“ops console”). Sets organizations.active = 0. Distinct from POST /v1/admin/billing/org/{org_id}/suspend which is the automated billing-driven path. Different audit-reason classification (ADMIN_ORG_SUSPEND vs ADMIN_BILLING_SUSPEND); different undo policy (manual requires explicit reactivate call; billing auto-reactivates on next paid invoice).

Note (Phase 2.2.5 placeholder state): the scoring-api side currently returns 501 NOT_IMPLEMENTED on auth-success — the full handler ships in the internal admin dashboard plan PR (admin-worker side). Auth gate (master-key validation + audit on AUTH_FAIL_MASTER_KEY) is fully active so the negative-key-matrix tests cover this route.

Authentication

X-API-Key: $MASTER_ADMIN_KEY_ORG_SUSPEND — scope-specific secret. admin-worker only; payment-worker does not hold this secret. Defense-in-depth invariant: payment-worker compromise cannot manually suspend an org.

Idempotency

Idempotency-Key required. Composite PK prevents cross-endpoint replay.

Rate limiting

Layer 1: enforced.
Layer 2: bypassed.

Request

curl -X POST https://api.cohesionauth.com/v1/admin/org/org_acme_2026_example/suspend \
  -H "X-API-Key: $MASTER_ADMIN_KEY_ORG_SUSPEND" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: example-suspend-key" \
  -d '{
    "confirm_org_id": "org_acme_2026_example",
    "idempotency_key": "example-suspend-key"
  }'

Response (post-implementation)

{
  "suspended": true,
  "org_id": "org_acme_2026_example",
  "suspended_at": "2026-05-03T03:00:00.000Z",
  "request_id": "req_01H...",
  "timestamp": "2026-05-03T03:00:00.000Z"
}

Errors

Status	Meaning
`401`	Master-key missing or wrong scope
`422`	`confirm_org_id` mismatches URL path
`501`	Handler pending admin-dashboard plan PR (current state)