Delete API key

curl --request POST \
  --url https://staging.zerolatencylabs.com/api/v1/api-keys/{id}/delete \
  --header 'Content-Type: application/json' \
  --header 'X-PUBLIC-KEY: <api-key>' \
  --header 'X-REQUEST-ID: <api-key>' \
  --header 'X-SIGNATURE: <api-key>' \
  --data '
{
  "account_id": 12345
}
'

{
  "deleted_at": "2026-06-23T16:00:00.000Z",
  "id": "0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f",
  "key_name": "trading-bot"
}

API Keys

Delete API key

Deletes an API key on an account.

Endpoint

POST /api/v1/api-keys/{id}/delete

Authentication

Signing material is carried in the X-PUBLIC-KEY, X-SIGNATURE, and X-REQUEST-ID headers — see [SessionSigAuth]. Signed message: request_id (16) || account_id (8 LE) || api_key_id (16 raw bytes). The api_key_id is read from the URL path; the request_id’s embedded timestamp must fall inside the OG’s skew window.

Reach

Mirrors the visibility rule of handle_list_api_keys: the caller’s session must reach the target key’s scope. Pinned target → session must reach that subaccount; unpinned target → caller must hold an admin-rooted, unpinned session.

Returns

200 OK with DeleteApiKeyResponse (id, name, server-side deleted_at timestamp).
400 Bad Request if a signing header is malformed or the request_id’s embedded timestamp falls outside the skew window.
401 Unauthorized if a signing header is missing, signature verification fails, the session is invalid/expired, or the caller’s session does not reach the target key’s scope.
404 Not Found if the target key does not exist.
500 Internal Server Error if an internal error occurs while deleting the key; the key record is then left untouched, so a retry is safe.

POST

api

api-keys

{id}

delete

Delete API key

curl --request POST \
  --url https://staging.zerolatencylabs.com/api/v1/api-keys/{id}/delete \
  --header 'Content-Type: application/json' \
  --header 'X-PUBLIC-KEY: <api-key>' \
  --header 'X-REQUEST-ID: <api-key>' \
  --header 'X-SIGNATURE: <api-key>' \
  --data '
{
  "account_id": 12345
}
'

{
  "deleted_at": "2026-06-23T16:00:00.000Z",
  "id": "0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f",
  "key_name": "trading-bot"
}

Authorizations

X-PUBLIC-KEY

string

header

required

Base64 ed25519 session public key. Part of the SessionSig triple; not an API key.

X-REQUEST-ID

string

header

required

UUIDv7 replay nonce; its embedded timestamp must fall inside the skew window [now-15s, now+5s]. Part of the SessionSig triple.

X-SIGNATURE

string

header

required

Base64 ed25519 signature over the canonical request message. Part of the SessionSig triple.

Path Parameters

string<uuid>

required

Identifier of the API key to delete

Body

application/json

Request payload for POST /api-keys/{id}/delete. Signing material lives in the X-PUBLIC-KEY / X-SIGNATURE / X-REQUEST-ID headers ([SessionSigAuth]).

account_id

integer<int64>

required

Account that owns the key being deleted.

Required range: x >= 0

Example:

12345

Response

API key deleted

Confirmation that an API key was deleted.

deleted_at

string<date-time>

required

Server-side timestamp at which the key was deleted.

Example:

"2026-06-23T16:00:00.000Z"

string<uuid>

required

Identifier of the deleted key.

Example:

"0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f"

key_name

string

required

User-supplied label the deleted key carried.

Example:

"trading-bot"

Create API key Add admin key

⌘I