Skip to content

API-Key revoked

The presented human API-Key was recognised but has been revoked.

  • The chk_… token resolves to a human_api_key row whose status is revoked.
  • A key is revoked explicitly (admin / self revoke) or implicitly when the owner verifies again - POST /v1/humans/verify mints a fresh key and atomically revokes the prior active one (“single active key per human”).
  • Stop using the revoked token. Obtain the current key from the most recent POST /v1/humans/verify response.
  • If you did not expect the revocation, re-run the verify flow to mint a new key; the old one will never be reactivated.
  • Raised by: packages/identity/src/service/api_key.ts - verify.
  • Guard: if (row.status === 'revoked') throw new ApiKeyError('api_key_revoked', 'this key has been revoked'), mapped to IDENTITY_ERR.api_key_revoked in apps/api/src/middleware/auth.ts.
{
"type": "https://citizenry.id/errors/ERR-P01-IDT-1041",
"title": "Unauthorized",
"status": 401,
"code": "ERR-P01-IDT-1041",
"message": "this key has been revoked",
"method": "POST",
"instance": "/v1/agent/register",
"request_url": "https://api.citizenry.id/v1/agent/register",
"timestamp": "2026-05-17T07:00:00.000Z"
}
  • 0.1.0 - introduced.