DELETE /v1/organizations/:orgId/api-keys/:keyId

To kill a customer's credential right now, delete the child key. You call this with your parent (org:admin) key. The revoke is immediate and has no grace window - the next request that key makes fails with 401 UNAUTHENTICATED. Reach for this when a child secret has leaked, a customer has churned, or you want to cut off a key the moment after rotating to a replacement.

If you instead want a zero-downtime swap - keep the old secret alive while you roll out a new one - rotate the key rather than deleting it.

The call is idempotent: deleting an already-revoked key returns its terminal shape, not an error.

Example

curl -X DELETE \
  https://api.layers.com/v1/organizations/org_d4e5f6a7-8b9c-4d0e-9f2a-3b4c5d6e7f80/api-keys/key_c2037bb9... \
  -H "Authorization: Bearer $LAYERS_PARENT_KEY"

{
  "apiKey": {
    "id": "key_c2037bb9-354d-4662-96b7-97a28ad6b6e1",
    "organizationId": "org_d4e5f6a7-8b9c-4d0e-9f2a-3b4c5d6e7f80",
    "name": "acme-content-sync",
    "prefix": "lp_live_ABCDEFGHJKMNPQRS",
    "env": "live",
    "scopes": ["content:read", "content:write"],
    "rateLimitTier": "standard",
    "status": "revoked",
    "createdAt": "2026-06-03T18:14:02.187Z",
    "lastUsedAt": "2026-06-03T19:02:41.004Z",
    "rotatedAt": null,
    "revokedAt": "2026-06-03T21:08:55.300Z",
    "graceUntil": null,
    "supersededBy": null
  },
  "deleted": true
}

The returned key now reads status: "revoked" with revokedAt stamped. There is no recovery path on the partner surface - issue a fresh key with mint if the customer still needs access.

Errors

See also

• Rotate - swap the secret without downtime instead of revoking outright.
• Mint a child key - issue a replacement.
• List - confirm the revoke landed.
• Audit log - api_key.deleted events.