curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/sessions/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Revoke an authentication session
Revoke an authentication session on an Embedded Wallet internal account. Revocation is a two-step signed-retry flow:
-
Call
DELETE /auth/sessions/{id}with no headers. The response is202with apayloadToSign,requestId, andexpiresAt. -
Use the session API keypair of a verified session on the same internal account (this can be the session being revoked, for self-logout) to build an API-key stamp over
payloadToSign, then retry the sameDELETErequest with that full stamp as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The signed retry returns204.
curl --request DELETE \
--url https://api.lightspark.com/grid/2025-10-13/auth/sessions/{id} \
--header 'Authorization: Basic <encoded-value>'{
"payloadToSign": "Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg==",
"requestId": "7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21",
"expiresAt": "2026-04-08T15:35:00Z",
"type": "OAUTH"
}Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Full API-key stamp built over the prior payloadToSign with the session API keypair of a verified session on the same internal account. Required on the signed retry; ignored on the initial call.
The requestId returned in a prior 202 response, echoed back on the signed retry so the server can correlate it with the issued challenge. Required on the signed retry; must be paired with Grid-Wallet-Signature.
Path Parameters
The id of the session to revoke.
Response
Challenge issued. The response contains payloadToSign plus a requestId. Build an API-key stamp over payloadToSign with the session API keypair of a verified session on the same internal account, then echo requestId on the retry.
202 response returned from Embedded Wallet Auth endpoints that require a signed retry — POST /auth/credentials (adding an additional credential), DELETE /auth/credentials/{id} (revoking a credential), and DELETE /auth/sessions/{id} (revoking a session). Carries the signing fields from SignedRequestChallenge plus the type of the authentication credential involved (being added, being revoked, or that issued the session being revoked). The client already knows the target resource id from the request path / body it just sent, so nothing beyond type is echoed in the response.
Canonical payload for the retry authorization stamp. Build an API-key stamp over this exact value with the session API keypair, then send the full base64url-encoded stamp in Grid-Wallet-Signature on the retry that completes the original request.
"Y2hhbGxlbmdlLXBheWxvYWQtdG8tc2lnbg=="
Unique identifier for this request. Must be echoed in the Request-Id header on the signed retry so the server can correlate the retry with the issued challenge.
"7c4a8d09-ca37-4e3e-9e0d-8c2b3e9a1f21"
Timestamp after which this challenge is no longer valid. The signed retry must be submitted before this time.
"2026-04-08T15:35:00Z"
Credential type relevant to this challenge: the credential type being added (POST /auth/credentials), the credential type being revoked (DELETE /auth/credentials/{id}), or the type of credential that issued the session being revoked (DELETE /auth/sessions/{id}).
OAUTH, EMAIL_OTP, PASSKEY Was this page helpful?