Version: v1.0.0(int)

E007: Revoke API token

DELETE /api/user/api-tokens/:id

Revokes a PAT by setting revoked_at. Subsequent requests using that plaintext fail at the middleware with 401. Only the token's owner can revoke it; cross-user revoke returns 404 (not 403) to avoid leaking token existence.

Authentication

Authenticated route, no org membership required. Accepts either a Firebase ID token or another PAT (you can revoke a PAT using a different PAT, as long as both belong to you).

Request

Path parameter id is the token UUID. No body.

Response — 200 OK

{ "deletedId": "uuid" }

Errors

Status	Code	Trigger
401	`forbidden`	Missing or invalid bearer token.
404	`not_found`	Token not found, not owned by caller, or already revoked.
422	`validation_failed`	`id` is not a UUID.

Maps to

W007.

Authentication​

Request​

Response — 200 OK​

Errors​

Maps to​

Authentication

Request

Response — 200 OK

Errors

Maps to