Remove scoped key
Removes a scoped master key from a specific subaccount. As with the add path, the signer must be an admin key.
Endpoint
POST /api/v1/auth/scoped-keys/remove
Authentication
Requires a master-key signed request from an account-level master key.
Returns
200 OKwithMasterKeyResponse. Rejections surface assuccess: falserather than a non-200 status, so always read the body.
Body
Signed write request from a master key. The JSON body is a Base64SignedPayload (Secp256k1) or a PasskeySignedPayload (passkey — adds WebAuthn authenticator_data, client_data_json, and credential_id, with public_key optional); the wire signature_type selects which. The base64 payload is identical in both and decodes to the binary layout [Header(8) || RequestId(16) || Body || Auth] — see spec/signing.md. The decoded Body is:
RemoveScopedSecp256k1MasterKeywhenHeader.request_type=remove_scoped_secp256k1_master_key(29).RemoveScopedPasskeyMasterKeywhenHeader.request_type=remove_scoped_passkey_master_key(31).
- Option 1
- Option 2
JSON envelope for a signed request: the base64-encoded canonical payload plus the base64
signature and public_key of the signing credential. Session-key (Ed25519) endpoints accept
exactly these fields; master-key (Secp256k1 / Passkey) endpoints sign the same payload and may
carry additional signature material. Endpoints also accept the equivalent
application/octet-stream binary frame.
Base64-encoded bytes of the canonical request payload.
"AQABAAAAAAB4m2tQz9KvX1Yk2mN3oQ4rS5tU6vW7xZ8aB9cD0eF1gH2iJ3kL5mN7oP9qR1sT3uV5wX7yZ9a="
Base64-encoded public key of the signing credential.
"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8="
Base64-encoded signature over the payload.
"AAcOFRwjKjE4P0ZNVFtiaXB3foWMk5qhqK+2vcTL0tng5+71/AMKERgfJi00O0JJUFdeZWxzeoGIj5adpKuyuQ=="