Add steps on disabling API keys.

18F · May 17, 2024 · e287389 · e287389
1 parent fcd8cd5
commit e287389
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/content/docs/agency-manual/index.md b/content/docs/agency-manual/index.md
@@ -21,6 +21,7 @@ csp:
 - [Caching API responses](#caching-api-responses)
 - [Setting your API's default rate limits](#setting-your-apis-default-rate-limits)
 - [Setting up per-user rate limits](#setting-up-per-user-rate-limits)
+- [Disabling an API key](#disabling-an-api-key)
 - [Client-side API key rate limits](#client-side-api-key-rate-limits)
 - [Defining custom settings for specific URLs or specific types of requests](#defining-custom-settings-for-specific-urls-or-specific-types-of-requests)
 - [Embedding the API key signup form on your own documentation site](#embedding-the-api-key-signup-form-on-your-own-documentation-site)
@@ -207,6 +208,16 @@ You can manage a specific API user's rate limits if you wish to grant an individ
    - _Note:_ If you're allowing a user a higher hourly rate limit, we typically recommend also keeping a short duration rate limit in place too (for example, a per-second or per-15 second limit). This ensures that a user can't flood your server with all of their hourly requests every hour.
 5. Save the user. Their higher rate limits should immediately be in place.
 
+## Disabling an API key
+
+If you receive a request from a user to deactivate, disable, or delete their API key, then admins with user management access can disable API keys in the admin.
+
+1. **Note:** It's best practice to have the user prove ownership over the key in some fashion, preferably by sending you an e-mail from the e-mail address on file with the full key. Try to be careful not to be phished into disabling a key someone does not actually own.
+2. In the top menu, navigate to the "Users" menu and choose "API Users".
+3. Find the API user you wish to disable.
+4. Under "Account Enabled" choose "Disabled".
+5. Save the changes to the form. This key will no longer be able to make any API requests.
+
 ## Client-side API key rate limits
 
 For applications that wish to embed the API key client-side (for example, compiled into a mobile app or used in JavaScript ajax queries), then you may want to adjust the API key's rate limits to make it more suitable for client-side usage. The general recommendations for these type of keys are: