Skip to main content
POST
/
v1
/
revokeApiKey
Revoke API key
curl --request POST \
  --url https://api.testnet.arcus.xyz/v1/revokeApiKey \
  --header 'Content-Type: application/json' \
  --data '
{
  "address": "<string>",
  "publicKey": "<string>",
  "apiWalletName": "<string>",
  "signature": {
    "r": "<string>",
    "s": "<string>",
    "v": "<string>"
  }
}
'
{
  "apiKey": "<string>",
  "address": "<string>",
  "revokedAt": 123,
  "accountIndex": 4
}
Revoke (remove) an existing API key. The request is authenticated by an EIP-191 personal_sign signature over the canonical revoke message, produced with the wallet that owns address (the same wallet that originally signed the matching createApiKey). The gateway recovers the signer with ecrecover and rejects mismatches with HTTP 401. This endpoint does not require an X-API-Key header so the owner can still revoke a key that has been lost or compromised.

Signing the request

Identical to createApiKey — use the wallet’s standard personal_sign API; the wallet handles the EIP-191 prefix automatically, you do not need to construct it yourself. The only difference is the canonical message does not include validUntil (revoke applies regardless of the key’s remaining lifetime):
// viem
const message = JSON.stringify({
  apiWalletName: "Arcus",
  apiWalletPublicKey: pubKeyHex,   // 64 hex chars, no 0x
});
const sig = await walletClient.signMessage({ account, message });

// ethers
const sig = await signer.signMessage(message);
Split the 65-byte result into {r, s, v} for the request body:
const signature = {
  r: "0x" + sig.slice(2, 66),
  s: "0x" + sig.slice(66, 130),
  v: "0x" + sig.slice(130, 132),
};

Canonical message format

{"apiWalletName":"<apiWalletName>","apiWalletPublicKey":"<publicKey>"}
Keys in this exact order, no whitespace, no trailing newline. The gateway rebuilds this same string from the request body fields, applies the EIP-191 prefix on its side, recovers the signer, and rejects the request with HTTP 401 if the recovered address does not equal address. Revokes signed by any wallet other than the original creator are rejected.

Body

application/json
address
string
required

Ethereum address that owns the API key to revoke.

Pattern: ^(0x|0X)?[0-9a-fA-F]{40}$
Example:

"0x742d35cc6634c0532925a3b844bc9e7595f2bd18"

publicKey
string
required

Hex-encoded Ed25519 public key that identifies the API key to revoke.

Required string length: 64
Pattern: ^[0-9a-fA-F]{64}$
Example:

"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"

apiWalletName
string
required

Name of the API wallet (included in the signing message, must match createAPIKey).

Required string length: 1 - 64
Example:

"Arcus"

signature
object
required

EIP-191 personal_sign signature (r, s, v) produced by the wallet that owns address — must be the same wallet that originally signed the matching createApiKey. See the POST /v1/revokeApiKey endpoint description for the full client-side signing recipe (canonical message, wallet API examples). Requests where the recovered signer does not equal address are rejected with HTTP 401.

Response

API key revocation accepted and dispatched to the matching engine.

apiKey
string
required

API key (hex string) that was revoked.

address
string
required

20-byte EVM address as hex: optional 0x or 0X prefix and exactly 40 hexadecimal digits. API responses normalize to lowercase af after 0x.

Pattern: ^(0x|0X)?[0-9a-fA-F]{40}$
revokedAt
integer<int64>
required

Revocation timestamp (epoch microseconds).

accountIndex
integer

Account index for this API key.

Required range: 0 <= x <= 9