curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Revoke an authentication credential
Revoke an authentication credential on an Embedded Wallet internal account.
Revocation is a two-step flow because it must be authorized by a session on a different credential on the same internal account:
-
Call
DELETE /auth/credentials/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Use the session API keypair of an existing verified credential on the same internal account — other than the one being revoked — to build an API-key stamp over
payloadToSign, then retry the sameDELETErequest with that full stamp as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The signed retry returns204.
The account must retain at least one authentication credential; an account with only a single credential cannot use this endpoint to revoke it.
curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/credentials/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Full API-key stamp built over the prior payloadToSign with the session API keypair of an existing verified authentication credential on the same internal account (other than the one being revoked). Required on the signed retry; ignored on the initial call.
The requestId returned in a prior 202 response, echoed back on the signed retry so the server can correlate it with the issued challenge. Required on the signed retry; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the authentication credential to revoke (the id field of the AuthMethod returned from POST /auth/credentials).
Response
Challenge issued. The response contains payloadToSign plus a requestId. Build an API-key stamp over payloadToSign with the session API keypair of an existing verified credential on the same internal account (other than the one being revoked), then echo requestId on the retry.
202 response returned from Embedded Wallet Auth endpoints that require a signed retry — POST /auth/credentials (adding an additional credential), DELETE /auth/credentials/{id} (revoking a credential), and DELETE /auth/sessions/{id} (revoking a session). Carries the signing fields from SignedRequestChallenge plus the type of the authentication credential involved (being added, being revoked, or that issued the session being revoked). The client already knows the target resource id from the request path / body it just sent, so nothing beyond type is echoed in the response.
Canonical payload for the retry authorization stamp. Build an API-key stamp over this exact value with the session API keypair, then send the full base64url-encoded stamp in Grid-Wallet-Signature on the retry that completes the original request.
"Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg=="
Unique identifier for this request. Must be echoed in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"
Credential type relevant to this challenge: the credential type being added (POST /auth/credentials), the credential type being revoked (DELETE /auth/credentials/{id}), or the type of credential that issued the session being revoked (DELETE /auth/sessions/{id}).
OAUTH, EMAIL_OTP, PASSKEY Was this page helpful?