Skip to main content
DELETE
https://nmixhdvexhgizmxlnhqi.supabase.co
/
functions
/
v1
/
delete-api-key
Delete API Key
curl --request DELETE \
  --url https://nmixhdvexhgizmxlnhqi.supabase.co/functions/v1/delete-api-key \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "key_id": "<string>",
  "confirm_deletion": true,
  "reason": "<string>"
}
'
{
  "success": true,
  "message": "API key permanently deleted",
  "deleted_key": {
    "id": "01HN2X4Y8Z9ABCDEF123456789",
    "name": "Legacy Frontend Key",
    "key_type": "pk",
    "environment": "test",
    "last_four": "6789",
    "created_at": "2024-01-01T10:00:00Z",
    "deleted_at": "2024-01-15T14:30:00Z",
    "deleted_by": "01HN2X3Y7W8VBCDEFG123456"
  },
  "audit_info": {
    "reason": "Replaced with new key for security rotation",
    "last_used_at": "2024-01-10T09:15:00Z",
    "total_requests": 15420,
    "usage_last_30_days": 0
  }
}

Overview

Permanently delete an API key and immediately revoke all access. This action cannot be undone, and the key will stop working immediately across all applications.
This action is irreversible. The API key will be permanently deleted and all applications using it will lose access immediately. Consider using the disable endpoint for temporary deactivation instead.

Authentication

This endpoint requires authentication using a secret API key with appropriate team permissions. 
curl -X DELETE "https://nmixhdvexhgizmxlnhqi.supabase.co/functions/v1/delete-api-key" \
  -H "Authorization: Bearer sk_test_..." \
  -H "Content-Type: application/json" \
  -d '{
    "key_id": "01HN2X4Y8Z9ABCDEF123456789",
    "confirm_deletion": true
  }'

Request Body

key_id
string
required
The unique identifier of the API key to delete
confirm_deletion
boolean
required
Must be set to true to confirm the permanent deletion
reason
string
Optional reason for deletion (for audit trail purposes)

Response

success
boolean
Indicates if the key was successfully deleted
message
string
Confirmation message about the deletion
deleted_key
object
Information about the deleted key (sensitive data excluded)
audit_info
object
Audit trail information

Example Response

{
  "success": true,
  "message": "API key permanently deleted",
  "deleted_key": {
    "id": "01HN2X4Y8Z9ABCDEF123456789",
    "name": "Legacy Frontend Key",
    "key_type": "pk",
    "environment": "test",
    "last_four": "6789",
    "created_at": "2024-01-01T10:00:00Z",
    "deleted_at": "2024-01-15T14:30:00Z",
    "deleted_by": "01HN2X3Y7W8VBCDEFG123456"
  },
  "audit_info": {
    "reason": "Replaced with new key for security rotation",
    "last_used_at": "2024-01-10T09:15:00Z",
    "total_requests": 15420,
    "usage_last_30_days": 0
  }
}

Error Codes

400
Bad Request
Missing confirmation or invalid request parameters
401
Unauthorized
Invalid or missing API key
403
Forbidden
Insufficient permissions to delete this API key
404
Not Found
API key not found or not accessible
409
Conflict
Key cannot be deleted due to active usage or dependencies
429
Rate Limited
Too many requests, retry after the specified time

Pre-Deletion Checklist

Before deleting an API key, ensure you have:

✅ Verified Key Usage

  • Check the last usage date in your dashboard
  • Review recent request patterns and volume
  • Confirm no active applications are using the key

✅ Updated Applications

  • Remove or replace the key in all applications
  • Update environment variables and configuration files
  • Test that applications work without the old key

✅ Documented the Change

  • Record the deletion reason for audit purposes
  • Update your API key inventory
  • Notify team members if applicable

✅ Considered Alternatives

  • Disable instead: Use disable endpoint for temporary deactivation
  • Regenerate: Use regenerate endpoint to get a new key value
  • Reduce permissions: Edit the key to limit scopes instead of deleting

When to Delete vs Disable

Delete When:

  • Key is permanently no longer needed
  • Security incident requires immediate permanent revocation
  • Cleaning up test keys after project completion
  • Consolidating duplicate or redundant keys

Disable When:

  • Temporarily suspending access for investigation
  • Key might be needed again in the future
  • Testing deployment without the key
  • Gradual migration to new keys

Post-Deletion Actions

Immediate Actions

  1. Verify Deletion: Confirm the key no longer appears in your dashboard
  2. Test Applications: Ensure applications handle the missing key gracefully
  3. Monitor Logs: Watch for authentication errors that might indicate missed usage
  4. Update Documentation: Remove references to the deleted key

Security Review

// Example: Post-deletion security check
const verifyKeyDeletion = async (deletedKeyId) => {
  try {
    // Attempt to use the deleted key (should fail)
    const response = await fetch('https://api.chrt.co/v1/status', {
      headers: { 'Authorization': `Bearer ${deletedKeyId}` }
    });
    
    if (response.status === 401) {
      console.log('✅ Key successfully deleted - access denied');
    } else {
      console.error('❌ Key may still be active');
    }
  } catch (error) {
    console.log('✅ Key deletion confirmed');
  }
};

Bulk Deletion

For deleting multiple keys, make separate requests: 
const deleteMultipleKeys = async (keyIds, reason) => {
  const results = await Promise.allSettled(
    keyIds.map(keyId => 
      fetch('/api/delete-key', {
        method: 'DELETE',
        headers: { 'Authorization': `Bearer ${secretKey}` },
        body: JSON.stringify({
          key_id: keyId,
          confirm_deletion: true,
          reason: reason
        })
      })
    )
  );
  
  const successful = results.filter(r => r.status === 'fulfilled').length;
  const failed = results.filter(r => r.status === 'rejected').length;
  
  console.log(`Deleted ${successful} keys, ${failed} failures`);
  
  // Handle any failures
  const failures = results
    .filter(r => r.status === 'rejected')
    .map((r, i) => ({ keyId: keyIds[i], error: r.reason }));
    
  return { successful, failed, failures };
};

Audit Trail

Key deletions create comprehensive audit records:

Logged Information

  • Who: User ID and name of person who deleted the key
  • When: Exact timestamp of deletion
  • What: Key ID, name, and type that was deleted
  • Why: Reason provided (if any)
  • Context: IP address, user agent, and session info

Retention Policy

  • Audit logs: Retained for 2 years minimum
  • Key metadata: Retained for 90 days after deletion
  • Usage statistics: Retained permanently for billing/analytics
  • Key value: Immediately and permanently destroyed
Deleted keys cannot be recovered. The key value is cryptographically destroyed and cannot be retrieved even by CHRT support staff. Always ensure you have updated all applications before deletion.