Revoke a delegated signing key
Revoke a delegated signing key. Revocation is a single signed-retry flow:
-
Call
DELETE /auth/delegated-keys/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Stamp
payloadToSignwith the session API keypair of a verified credential on the delegated key’s Embedded Wallet funding account and retry withGrid-Wallet-SignatureandRequest-Idheaders. This deletes the delegated user and its API key, after which the key can no longer sign, and the response is204.
Deleting the user is the kill switch: it removes the API key the delegated key authenticated with, so signing stops regardless of the policy. The policy is left in place — its consensus references the now-deleted user, so it can never authorize anything (Turnkey user IDs are never reused), and deleting it is unnecessary for correctness or security.
Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Full API-key stamp built over the prior payloadToSign with the session API keypair of a verified credential on the same internal account. Required on the signed retries; ignored on the initial call.
The requestId returned in the prior 202 response, echoed back exactly on the signed retry so the server can correlate it with the issued challenge. Required on the signed retries; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the delegated key to revoke (the id field of the DelegatedKey returned from POST /auth/delegated-keys).
Response
Challenge issued. Stamp payloadToSign and retry to complete revocation.
202 response returned from the delegated-key endpoints. Stamp payloadToSign with the session API keypair of a verified credential on the delegated key's Embedded Wallet funding account, then retry the same request with the full stamp in Grid-Wallet-Signature and the requestId echoed in Request-Id.
Canonical payload for the retry authorization stamp. Build an API-key stamp over this exact value with the session API keypair, then send the full base64url-encoded stamp in Grid-Wallet-Signature on the retry that completes the original request.
"{\"organizationId\":\"org_2m9F...\",\"parameters\":{\"userId\":\"user_2m9F...\"},\"timestampMs\":\"1775681700000\",\"type\":\"ACTIVITY_TYPE_EXAMPLE\"}"
Grid-issued Request:<uuid> identifier for this pending request. Echo this value exactly in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"Request:7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"