When the API Key is no longer needed, exposed externally, or needs to be disabled for security reasons, you can revoke that key. The revoked key will stop functioning immediatelyand cannot be restored.
Warning:The revocation action is irreversible. After revoke, any requests using this key will be denied. If you need a new key for the same purpose, please create a new API Key or use the Regeneratefunction instead of Revoke.
/api/v1.0/integration/api-keys/{id}/revokePermanently revoke an API Key. The key will change to a inactivestate and can no longer be used.
Header | Type | Required | Description |
|---|---|---|---|
| string | Yes | Authentication token. Format: |
Parameter | Type | Required | Description |
|---|---|---|---|
| string | Yes | ID of the API Key to be revoked. Obtained from the list of API Keys |
curl -X POST "{{protocol}}://{{host}}:{{port}}/api/v1.0/integration/api-keys/key_abc123def456/revoke" \
-H "Authorization: Bearer {{token}}"const axios = require('axios')
const keyId = 'key_abc123def456'
const response = await axios.post(
`{{protocol}}://{{host}}:{{port}}/api/v1.0/integration/api-keys/${keyId}/revoke`,
{},
{
headers: {
'Authorization': 'Bearer {{token}}'
}
}
)
console.log('Kết quả:', response.data.message)import requests
key_id = 'key_abc123def456'
url = f'{{protocol}}://{{host}}:{{port}}/api/v1.0/integration/api-keys/{key_id}/revoke'
headers = {
'Authorization': 'Bearer {{token}}'
}
response = requests.post(url, headers=headers)
data = response.json()
print('Kết quả:', data['message'])HTTP 200 OK
{
"success": true,
"message": "API Key đã được thu hồi thành công",
"id": "key_abc123def456",
"status": "inactive",
"revokedAt": "2026-04-07T15:30:00.000Z"
}Field | Type | Description |
|---|---|---|
| boolean |
|
| string | Result message |
| string | ID of the revoked API Key |
| string | New status: |
| string | Revocation time (ISO 8601) |
HTTP Code | Cause | Resolution |
|---|---|---|
| Invalid or expired token | Retrieve a new authentication token |
| No permission to revoke API Key | Contact Alohubto obtain permission |
| API Key with the provided ID not found | Check the key ID from the list of API Keys |
| API Key has been revoked previously | This key is inactive, no further action needed |
Situation | Action | Reason |
|---|---|---|
Key exposed, still need API connection | Regenerate | Disable the old key, create a new key with the same configuration — reduce downtime |
Key expired, still need API connection | Regenerate | Quick extension without reconfiguring scopes |
Stop integration with third-party applications | Revoke | Permanently cut off access, no replacement key needed |
Detect unusual access from the key | Revokeimmediately | Block unauthorized access as quickly as possible |
Key management employee leaves the company | Regenerateor Revoke | Depending on whether a connection is still needed |
Security:When an API Key is found to be exposed or shows signs of unauthorized access, revoke the key immediately. Contact Alohubif you need assistance checking access logs.