curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Revoke an authentication credential
Revoke an authentication credential on an Embedded Wallet internal account.
Revocation is a two-step flow because it must be authorized by a session on a different credential on the same internal account:
-
Call
DELETE /auth/credentials/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Sign the
payloadToSignwith the session private key of an existing verified credential on the same internal account — other than the one being revoked — and retry the sameDELETErequest with the signature supplied as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The signed retry returns204.
The account must retain at least one authentication credential; an account with only a single credential cannot use this endpoint to revoke it.
curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Signature over the payloadToSign returned in a prior 202 response, produced with the session private key of an existing verified authentication credential on the same internal account (other than the one being revoked) and base64-encoded. Required on the signed retry; ignored on the initial call.
The requestId returned in a prior 202 response, echoed back on the signed retry so the server can correlate it with the issued challenge. Required on the signed retry; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the authentication credential to revoke (the id field of the AuthMethod returned from POST /auth/credentials).
Response
Challenge issued. The response contains a payloadToSign that must be signed with the session private key of an existing verified credential on the same internal account (other than the one being revoked), along with a requestId that must be echoed back on the retry.
202 response returned from Embedded Wallet Auth endpoints that require a signed retry — POST /auth/credentials (adding an additional credential), DELETE /auth/credentials/{id} (revoking a credential), and DELETE /auth/sessions/{id} (revoking a session). Carries the signing fields from SignedRequestChallenge plus the type of the authentication credential involved (being added, being revoked, or that issued the session being revoked). The client already knows the target resource id from the request path / body it just sent, so nothing beyond type is echoed in the response.
Payload that must be signed with the session private key of a verified authentication credential. The resulting signature is passed as the Grid-Wallet-Signature header on the retry of the originating request to complete the operation.
"Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg=="
Unique identifier for this request. Must be echoed in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"
Credential type relevant to this challenge: the credential type being added (POST /auth/credentials), the credential type being revoked (DELETE /auth/credentials/{id}), or the type of credential that issued the session being revoked (DELETE /auth/sessions/{id}).
OAUTH, EMAIL_OTP, PASSKEY Was this page helpful?