Revoke Key (DELETE)

DELETE /cdp/keys — the REST-conventional alias of POST /cdp/keys/revoke. Same idempotent behaviour; the target is supplied in the query string rather than the body.

Session credential required

Key management requires a session credential, not an API key. See Authentication.

Request

DELETE /cdp/keys?id=<key-id>

Query parameters

Param	Type	Required	Description
id	string	one of id / key_prefix	The key record id to revoke.
key_prefix	string	one of id / key_prefix	The key prefix to revoke.
brand_id	string	staff only	Target brand (staff).

A target id or key_prefix is required, or the request is rejected 400.

Response 200

{
  "revoked": [
    {
      "id": "key_abc",
      "key_prefix": "vyg_AbCd",
      "brand_id": "brand-uuid",
      "is_staff": false,
      "expires_at": null,
      "revoked_at": "2026-01-15T00:00:00.000Z",
      "created_at": "2026-01-10T00:00:00.000Z"
    }
  ]
}

revoked lists the records that actually transitioned active → revoked; an already-revoked or not-found target returns { "revoked": [] }.

Example

curl -s -X DELETE "https://cdp.vyg.app/cdp/keys?key_prefix=vyg_AbCd" \
  -H "Authorization: Bearer <session-credential>"

Errors

Status	When
400	Neither id nor key_prefix supplied.
401	Missing or invalid credential.
403	An API key was used for management; a non-staff caller targeted another brand; or no connected Shopify integration resolves a scope for the brand.
405	Unsupported method.
500	Brand-scope resolution failed.

See Errors for the full envelope.