Revoke Api Key

Invalidate an API key when it's compromised or no longer needed.

When to use: When a key is compromised, a service is decommissioned, or for regular key rotation.

Prerequisites

Completed Create API Key
Have an API key ID to revoke

5-Line Core

success = await api_key_provider.revoke_api_key(
    key_id=api_key.id,
    organization_id="default",
)
# Key is now invalid

When to Revoke

Scenario

Action

Key compromised

Revoke immediately

Service decommissioned

Revoke before removal

Employee leaves

Revoke personal keys

Regular rotation

Revoke after new key works

Step-by-Step

Get Key ID

# From the ApiKey object
key_id = api_key.id

# Or list keys to find the right one
keys = await api_key_provider.list_api_keys(
    organization_id="default"
)
for key in keys:
    print(f"{key.id}: {key.name}")

Revoke the Key

success = await api_key_provider.revoke_api_key(
    key_id=key_id,
    organization_id="default",
)

Verify Revocation

if success:
    print("Key revoked successfully")

    # Verify key no longer works
    identity = await api_key_provider.validate_api_key(plain_key)
    print(f"Key valid: {identity is not None}")  # False

Expected Output

Key revoked successfully
Key valid: False

You can revoke API keys!

Complete Example

Create revoke_api_key.py:

"""GL IAM Revoke API Key Example."""

import asyncio

from gl_iam.providers.postgresql import (
    PostgreSQLProvider,
    PostgreSQLConfig,
)

DATABASE_URL = "postgresql+asyncpg://postgres:postgres@localhost:5432/gliam"


async def main():
    # Setup provider (implements all 6 protocols)
    config = PostgreSQLConfig(database_url=DATABASE_URL)
    provider = PostgreSQLProvider(config)

    # Create a key to revoke
    api_key, plain_key = await provider.create_api_key(
        name="key-to-revoke",
        organization_id="default",
        scopes=["api:read"],
    )
    print(f"Created key: {api_key.id}")

    # Verify it works before revocation
    identity = await provider.validate_api_key(plain_key)
    print(f"Before revoke - valid: {identity is not None}")

    # Revoke the key
    success = await provider.revoke_api_key(
        key_id=api_key.id,
        organization_id="default",
    )

    if success:
        print("Key revoked successfully!")
    else:
        print("Failed to revoke key")

    # Verify it no longer works
    identity = await provider.validate_api_key(plain_key)
    print(f"After revoke - valid: {identity is not None}")

    await provider.close()


if __name__ == "__main__":
    asyncio.run(main())

Run it:

uv run revoke_api_key.py

Expected output:

Created key: 550e8400-e29b-41d4-a716-446655440000
Before revoke - valid: True
Key revoked successfully!
After revoke - valid: False

Key Rotation Pattern

async def rotate_key(api_key_provider, old_key_id: str, org_id: str):
    """Safely rotate an API key."""
    # 1. Create new key first
    new_key, new_plain_key = await api_key_provider.create_api_key(
        name="rotated-key",
        organization_id=org_id,
        scopes=["api:read", "api:write"],
    )
    print(f"New key created: {new_key.key_preview}")

    # 2. Deploy new key to services (done externally)
    # ...

    # 3. Revoke old key after deployment confirmed
    await api_key_provider.revoke_api_key(
        key_id=old_key_id,
        organization_id=org_id,
    )
    print("Old key revoked")

    return new_key, new_plain_key

Common Pitfalls

Pitfall

Solution

Revoking before new key deployed

Create and deploy new key first

Not notifying stakeholders

Coordinate with key users

Losing key ID

Track key IDs in secure storage

Found an issue on this page? Report it on our feedback form.

PreviousValidate Api Key NextAuthorization

Last updated 8 days ago

Was this helpful?

hashtag5-Line Core

hashtagWhen to Revoke

hashtagStep-by-Step

hashtagComplete Example

hashtagKey Rotation Pattern

hashtagCommon Pitfalls

5-Line Core

When to Revoke

Step-by-Step

Complete Example

Key Rotation Pattern

Common Pitfalls