API Key Revoked
api_key_revoked401
This key was deactivated. Rotate to a fresh key — don't try to reactivate.
What this means
The credential in the request matches a real API key in our system, but that key has been marked as revoked. We refuse it as a credential and return this error. Revoked keys can't be reactivated — once revoked, a key is permanently dead. The fix is to create a new key, not to restore the old one.
When you'll see this
- An admin on the account revoked the key intentionally (security incident response, key rotation, decommissioning an old integration).
- The key was auto-revoked because a previous OAuth flow superseded it.
- A subscription expired and the account's keys were deactivated en masse.
- An automated security scan detected a leaked key and revoked it.
Learn more about how this works
Revocation is a one-way operation. When a key is revoked, we keep the record (for audit and reporting purposes — you can still see its usage history in the dashboard) but mark it inactive. Subsequent auth attempts return this error rather than api_key_not_found, because the key did exist; it just isn't valid anymore. From your client's perspective, the action is the same: get a new key.
In practice: if you see this in your logs, an admin revoked the key — or you did and forgot. The fix is rotation, not panic. Generate a fresh key, update your config, deploy, and the integration recovers.
Example response
{
"success": false,
"error": "api_key_revoked",
"message": "This API key has been revoked.",
"details": [],
"retry_after": null,
"doc_url": "https://docs.asterwise.com/reference/errors/api_key_revoked",
"request_id": "req_01HXYZABCDEFGH",
"timestamp": "2026-05-25T12:34:56Z"
}
- Sign in at asterwise.com/dashboard and open the API Keys page.
- Create a new API key. Copy it once — full keys aren't displayed after the initial creation screen.
- Update your integration's config with the new key and deploy.
Treat as a hard auth failure. Don't retry; the same key will always be rejected. Surface clearly so the operator knows to rotate.
Python:
Production handler
- Python
- TypeScript
import httpx
import logging
logger = logging.getLogger(__name__)
class AsterwiseKeyRevokedError(Exception):
"""Key was revoked. Generate a new key to recover."""
def call_asterwise(url, headers, payload):
response = httpx.post(url, headers=headers, json=payload, timeout=30)
if response.status_code == 401:
body = response.json()
if body.get("error") == "api_key_revoked":
logger.critical(
"Asterwise key revoked — integration needs rotation",
extra={"request_id": body.get("request_id")},
)
raise AsterwiseKeyRevokedError(
"API key revoked. "
"Generate a new key at asterwise.com/dashboard."
)
response.raise_for_status()
return response.json()
class AsterwiseKeyRevokedError extends Error {}
async function callAsterwise(url: string, headers: HeadersInit, payload: unknown) {
const response = await fetch(url, {
method: "POST",
headers,
body: JSON.stringify(payload),
});
if (response.status === 401) {
const body = await response.json();
if (body.error === "api_key_revoked") {
console.error("Asterwise key revoked — integration needs rotation", {
request_id: body.request_id,
});
throw new AsterwiseKeyRevokedError(
"API key revoked. " +
"Generate a new key at asterwise.com/dashboard.",
);
}
}
if (!response.ok) throw new Error(`HTTP ${response.status}`);
return response.json();
}
Avoid this error by
- Plan for key rotation. Build the new-key-then-revoke-old sequence into your deployment pipeline so this error never reaches production traffic.
- When rotating, deploy the new key, verify it works (
GET /v1/keys/me), then revoke the old one. Don't reverse the order — old key revoked before new key deployed equals downtime. - Set up monitoring for
api_key_revokedin your own logs. A sudden spike means a key was revoked unexpectedly — usually because of a security event you should investigate. - For team-managed accounts, document who can revoke keys and when. Surprise revocations cause incidents.