# DELETE /v1/organizations/:orgId/api-keys/:keyId (/docs/api/reference/organizations/api-keys/delete)



<Endpoint method="DELETE" path="/v1/organizations/{orgId}/api-keys/{keyId}" auth="Bearer" scope="org:admin" phase="1" />

To kill a customer's credential right now, delete the child key. You call this with your parent (`org:admin`) key. The revoke is **immediate and has no grace window** - the next request that key makes fails with `401 UNAUTHENTICATED`. Reach for this when a child secret has leaked, a customer has churned, or you want to cut off a key the moment after rotating to a replacement.

If you instead want a zero-downtime swap - keep the old secret alive while you roll out a new one - [rotate](/docs/api/reference/organizations/api-keys/rotate) the key rather than deleting it.

The call is idempotent: deleting an already-revoked key returns its terminal shape, not an error.

<Parameters
  title="Path"
  rows="[
  { name: 'orgId', type: 'string (org_…)', required: true, description: 'The child organization that owns the key. Must be a direct child of your org.' },
  { name: 'keyId', type: 'string (key_…)', required: true, description: 'The key to revoke. Must belong to this child org.' },
]"
/>

## Example [#example]

```bash
curl -X DELETE \
  https://api.layers.com/v1/organizations/org_d4e5f6a7-8b9c-4d0e-9f2a-3b4c5d6e7f80/api-keys/key_c2037bb9... \
  -H "Authorization: Bearer $LAYERS_PARENT_KEY"
```

<Response status="200" description="OK - key revoked">
  ```json
  {
    "apiKey": {
      "id": "key_c2037bb9-354d-4662-96b7-97a28ad6b6e1",
      "organizationId": "org_d4e5f6a7-8b9c-4d0e-9f2a-3b4c5d6e7f80",
      "name": "acme-content-sync",
      "prefix": "lp_live_ABCDEFGHJKMNPQRS",
      "env": "live",
      "scopes": ["content:read", "content:write"],
      "rateLimitTier": "standard",
      "status": "revoked",
      "createdAt": "2026-06-03T18:14:02.187Z",
      "lastUsedAt": "2026-06-03T19:02:41.004Z",
      "rotatedAt": null,
      "revokedAt": "2026-06-03T21:08:55.300Z",
      "graceUntil": null,
      "supersededBy": null
    },
    "deleted": true
  }
  ```
</Response>

The returned key now reads `status: "revoked"` with `revokedAt` stamped. There is no recovery path on the partner surface - issue a fresh key with [mint](/docs/api/reference/organizations/api-keys/mint) if the customer still needs access.

## Errors [#errors]

| Status | Code          | When                                                                              |
| ------ | ------------- | --------------------------------------------------------------------------------- |
| 404    | `NOT_FOUND`   | `:orgId` isn't your child, OR `:keyId` isn't that child's key (anti-enumeration). |
| 422    | `VALIDATION`  | Malformed `:orgId` or `:keyId`.                                                   |
| 503    | `KILL_SWITCH` | Your key or org is suspended; or the child org is suspended/archived.             |

## See also [#see-also]

* [Rotate](/docs/api/reference/organizations/api-keys/rotate) - swap the secret without downtime instead of revoking outright.
* [Mint a child key](/docs/api/reference/organizations/api-keys/mint) - issue a replacement.
* [List](/docs/api/reference/organizations/api-keys/list) - confirm the revoke landed.
* [Audit log](/docs/api/reference/audit-log/list) - `api_key.deleted` events.