Skip to main content

POST /keys/revoke

Revoke a user's access to a key

Removes grantee from the key's ACL. The caller must be the owner.

Authentication

Requires the X-Session header (the opaque session id from POST /login). See Authentication.

Request

FieldTypeRequiredDescription
ttagstring (base64)yesBase64 key handle of the key to revoke access to.
granteestringyesUsername to revoke access from.

Example

{
"ttag": "dGFnLWJhc2U2NC1leGFtcGxl",
"grantee": "bob"
}

Responses

200

Access revoked.

FieldTypeRequiredDescription
okbooleanyes

Example

{
"ok": true
}

400

Validation error: missing fields, invalid JSON, or body > 1 MB.

401

Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry.

403

kS RBAC/ACL denial — a real authorization refusal. Surface it; retrying will not help until access is granted.

500

Other kS operation error.

Error handling

This endpoint can return the statuses below. For request bodies and the client action per status, see the full error contract.

StatusMeaning
400Validation error: missing fields, invalid JSON, or body > 1 MB.
401Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry.
403kS RBAC/ACL denial — a real authorization refusal. Surface it; retrying will not help until access is granted.
500Other kS operation error.
Distinguish 401-reauth from 403

A 401 with { "reauth": true } means the server-held token expired — re-run POST /login and retry. A 403 is a real authorization denial — surface it; retrying will not help.