Revoke an authentication credential
Revoke an authentication credential on an Embedded Wallet internal account.
Revocation is a two-step flow because it must be authorized by a session on a different credential on the same internal account:
-
Call
DELETE /auth/credentials/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Use the session API keypair of an existing verified credential on the same internal account — other than the one being revoked — to build an API-key stamp over
payloadToSign, then retry the sameDELETErequest with that full stamp as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The signed retry returns204.
The account must retain at least one authentication credential; an account with only a single credential cannot use this endpoint to revoke it.
Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Full API-key stamp built over the prior payloadToSign with the session API keypair of an existing verified authentication credential on the same internal account (other than the one being revoked). Required on the signed retry; ignored on the initial call.
The requestId returned in a prior 202 response, echoed back exactly on the signed retry so the server can correlate it with the issued challenge. Required on the signed retry; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the authentication credential to revoke (the id field of the AuthMethod returned from POST /auth/credentials).
Response
Challenge issued. The response contains payloadToSign plus a requestId. Build an API-key stamp over payloadToSign with the session API keypair of an existing verified credential on the same internal account (other than the one being revoked), then echo requestId on the retry.
202 response returned from Embedded Wallet Auth endpoints that require a signed retry — POST /auth/credentials (adding an additional credential), DELETE /auth/credentials/{id} (revoking a credential), DELETE /auth/sessions/{id} (revoking a session), and the EMAIL_OTP branch of POST /auth/credentials/{id}/verify (the secure OTP login flow, where the client submits an encryptedOtpBundle and receives a verificationToken to sign for the second-leg session issuance). Carries the signing fields from SignedRequestChallenge plus the type of the authentication credential involved (being added, revoked, that issued the session being revoked, or being authenticated). The client already knows the target resource id from the request path / body it just sent, so nothing beyond type is echoed in the response.
The keypair used to compute the stamp depends on the operation. For credential / session management retries, sign with the session API keypair of an existing verified credential on the same internal account. For the EMAIL_OTP verify retry, sign with the ephemeral Target Encryption Key (TEK) the client generated for this login — its public key is the one carried inside the encryptedOtpBundle and bound into the verificationToken, and it becomes the client's session API key on successful completion.
Canonical payload for the retry authorization stamp. Build an API-key stamp over this exact value with the session API keypair, then send the full base64url-encoded stamp in Grid-Wallet-Signature on the retry that completes the original request.
"{\"organizationId\":\"org_2m9F...\",\"parameters\":{\"userId\":\"user_2m9F...\"},\"timestampMs\":\"1775681700000\",\"type\":\"ACTIVITY_TYPE_EXAMPLE\"}"
Grid-issued Request:<uuid> identifier for this pending request. Echo this value exactly in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"Request:7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"
Credential type relevant to this challenge: the credential type being added (POST /auth/credentials), revoked (DELETE /auth/credentials/{id}), or authenticated (EMAIL_OTP branch of POST /auth/credentials/{id}/verify). For session revocation, this is the type of credential that issued the session (DELETE /auth/sessions/{id}).
OAUTH, EMAIL_OTP, PASSKEY