DELETE /v1/api-keys/:keyId
Retire a key cleanly - soft delete without tripping the kill-switch.
DELETE
/v1/api-keys/{keyId}Phase 1stable
- Auth
- Bearer
Clean retirement. Retires a key without treating it as compromised. Unlike /kill, this is the planned decommission path.
Use this when:
- A service that owned the key has been decommissioned.
- You're consolidating keys down to a smaller set.
- An employee with key access has left and you want to retire their key (not quarantine the whole namespace).
Do NOT use this when the secret may have leaked - call /kill instead. Delete is for planned retirement; kill is for suspected compromise.
A deleted key cannot be revived via the partner surface. Partner key issuance is dashboard / admin-only - there is no partner-API endpoint to mint a new key. Issue a fresh key from the Layers dashboard, then deploy it.
Path
keyIdstring (UUID)requiredThe api_keys.id of the key to delete. Must belong to the same org as the calling key.
Example
# Retire the key for a decommissioned service
curl -X DELETE https://api.layers.com/v1/api-keys/c2037bb9-354d-4662-96b7-97a28ad6b6e1 \
-H "Authorization: Bearer $LAYERS_API_KEY"200OK - key retired
{
"apiKey": {
"id": "c2037bb9-354d-4662-96b7-97a28ad6b6e1",
"organizationId": "org_2481fa5c-a404-44ed-a561-565392499abc",
"name": "legacy-nightly-cron",
"prefix": "lp_...",
"killSwitch": false,
"isActive": false,
"revokedAt": "2026-04-20T18:14:02.187Z"
},
"deleted": true
}Errors
| Status | Code | When |
|---|---|---|
| 404 | NOT_FOUND | Key ID doesn't exist, or belongs to a different org. |
| 422 | VALIDATION | Missing :keyId. |
See also
- Kill - emergency stop; sets kill-switch, records as incident.
- Rotate - replace the secret without retiring the key.
- API keys concept - lifecycle diagram.
- Audit log -
api_key.deletedevents.