curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/sessions/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Revoke an authentication session
Revoke an authentication session on an Embedded Wallet internal account. Revocation is a two-step signed-retry flow:
-
Call
DELETE /auth/sessions/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Sign the
payloadToSignwith the session private key of a verified session on the same internal account (this can be the session being revoked, for self-logout) and retry the sameDELETErequest with the signature as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The signed retry returns204.
curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/sessions/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Signature over the payloadToSign returned in a prior 202 response, produced with the session private key of a verified session on the same internal account and base64-encoded. Required on the signed retry; ignored on the initial call.
The requestId returned in a prior 202 response, echoed back on the signed retry so the server can correlate it with the issued challenge. Required on the signed retry; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the session to revoke.
Response
Challenge issued. The response contains a payloadToSign that must be signed with the session private key of a verified session on the same internal account, along with a requestId that must be echoed back on the retry.
202 response returned from Embedded Wallet Auth endpoints that require a signed retry — POST /auth/credentials (adding an additional credential), DELETE /auth/credentials/{id} (revoking a credential), and DELETE /auth/sessions/{id} (revoking a session). Carries the signing fields from SignedRequestChallenge plus the type of the authentication credential involved (being added, being revoked, or that issued the session being revoked). The client already knows the target resource id from the request path / body it just sent, so nothing beyond type is echoed in the response.
Payload that must be signed with the session private key of a verified authentication credential. The resulting signature is passed as the Grid-Wallet-Signature header on the retry of the originating request to complete the operation.
"Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg=="
Unique identifier for this request. Must be echoed in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"
Credential type relevant to this challenge: the credential type being added (POST /auth/credentials), the credential type being revoked (DELETE /auth/credentials/{id}), or the type of credential that issued the session being revoked (DELETE /auth/sessions/{id}).
OAUTH, EMAIL_OTP, PASSKEY Was this page helpful?