> ## Documentation Index > Fetch the complete documentation index at: https://docs.nxos.io/llms.txt > Use this file to discover all available pages before exploring further. # Revoke authorization > Revoke a previously-issued authorization between two organizations. Either side of the grant may call this — the granting org (the customer who signed) or the authorized org (the broker that received the grant). The API key's organization must be one of the two; otherwise the call is refused with `403 forbidden`. Idempotent semantics: a second revoke of the same tuple returns `404 authorization_not_found` (the row is already `REVOKED` and excluded from the active set). Effect is immediate — subsequent calls that rely on the grant (requests with `Nxos-On-Behalf-Of` pointing at the granter from the authorized org) will fail with `403 authorization_required`. ## OpenAPI ````yaml POST /v1/authorizations/revoke openapi: 3.0.0 info: title: nxos API version: 1.0.0 contact: name: nxos url: https://nxos.io description: |- The nxos platform API provides programmatic access to accounts, balances, quotes, and trades. All endpoints require API key authentication. servers: - url: https://api.nxos.io description: Production variables: {} - url: https://api.sandbox.nxos.io description: Sandbox variables: {} security: [] tags: - name: Accounts - name: Quotes - name: Beneficiaries - name: Fiat Payouts - name: Crypto Payouts - name: Nxosnet - name: Fees - name: Funding Methods - name: Transactions - name: Organizations - name: Authorizations - name: Webhooks description: >- Register an HTTPS endpoint to receive events (organization verification and transaction status changes) instead of polling. Deliveries are signed; verify the `svix-signature` header before acting on an event. See the [Webhooks guide](https://docs.nxos.io/core-concepts/webhooks) for the delivery format, signature verification, retries, and broker behavior. Payload shapes are documented in the `…Event` models below. paths: /v1/authorizations/revoke: post: tags: - Authorizations description: |- Revoke a previously-issued authorization between two organizations. Either side of the grant may call this — the granting org (the customer who signed) or the authorized org (the broker that received the grant). The API key's organization must be one of the two; otherwise the call is refused with `403 forbidden`. Idempotent semantics: a second revoke of the same tuple returns `404 authorization_not_found` (the row is already `REVOKED` and excluded from the active set). Effect is immediate — subsequent calls that rely on the grant (requests with `Nxos-On-Behalf-Of` pointing at the granter from the authorized org) will fail with `403 authorization_required`. operationId: Authorizations_revoke parameters: - $ref: '#/components/parameters/ApiKeyAuth' - $ref: '#/components/parameters/IdempotencyKey' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RevokeAuthorizationRequest' responses: '200': description: The request has succeeded. content: application/json: schema: $ref: '#/components/schemas/Authorization' '400': description: The server could not understand the request due to invalid syntax. content: application/json: schema: $ref: '#/components/schemas/Error400' '401': description: Access is unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error401' '403': description: Access is forbidden. content: application/json: schema: $ref: '#/components/schemas/Error403' '404': description: The server cannot find the requested resource. content: application/json: schema: $ref: '#/components/schemas/Error404' '409': description: The request conflicts with the current state of the server. content: application/json: schema: $ref: '#/components/schemas/Error409' '429': description: Client error content: application/json: schema: $ref: '#/components/schemas/Error429' '500': description: Server error content: application/json: schema: $ref: '#/components/schemas/Error500' components: parameters: ApiKeyAuth: name: Authorization in: header required: true description: 'Bearer token. Format: `Bearer `' schema: type: string IdempotencyKey: name: Idempotency-Key in: header required: false description: >- Unique key per logical operation. UUID v4 recommended. Max 255 characters. schema: type: string schemas: RevokeAuthorizationRequest: type: object required: - grantingOrganizationId - authorizedOrganizationId - type properties: grantingOrganizationId: type: string description: Organization that granted the authorization (the customer). authorizedOrganizationId: type: string description: >- Organization that received the authorization (the broker / platform). type: allOf: - $ref: '#/components/schemas/AuthorizationType' description: Type of grant to revoke. Currently always `LOA`. reason: type: string description: >- Optional free-form reason for the revocation (max 500 chars). Stored on the row for audit. description: Request body for `POST /v1/authorizations/revoke`. Authorization: type: object required: - object - grantingOrganizationId - authorizedOrganizationId - type - status - signedAt - revokedAt - revokedReason - createdAt - updatedAt properties: object: type: string enum: - authorization description: Object type. Always `authorization`. grantingOrganizationId: type: string description: Organization that granted the authorization (the customer). authorizedOrganizationId: type: string description: >- Organization that received the authorization (the broker / platform). type: allOf: - $ref: '#/components/schemas/AuthorizationType' description: Type of grant. Currently always `LOA`. status: allOf: - $ref: '#/components/schemas/AuthorizationStatus' description: Current status — `PENDING`, `ACTIVE`, or `REVOKED`. signedAt: type: string allOf: - $ref: '#/components/schemas/dateTimeString' nullable: true description: >- ISO 8601 timestamp when the granter signed. `null` when the row is still `PENDING`. revokedAt: type: string allOf: - $ref: '#/components/schemas/dateTimeString' nullable: true description: >- ISO 8601 timestamp when the grant was revoked. `null` until revocation. revokedReason: type: string nullable: true description: >- Optional free-form reason captured at revocation time. `null` when not provided. createdAt: allOf: - $ref: '#/components/schemas/dateTimeString' description: >- ISO 8601 timestamp when the row was first created (usually when the LOA invitation was issued). updatedAt: allOf: - $ref: '#/components/schemas/dateTimeString' description: >- ISO 8601 timestamp of the most recent state change (signing or revocation). description: A cross-org authorization grant between two organizations. example: object: authorization grantingOrganizationId: org_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 authorizedOrganizationId: org_b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5 type: LOA status: REVOKED signedAt: '2025-12-01T10:30:00.000Z' revokedAt: '2026-03-15T14:30:00.000Z' revokedReason: Client off-boarded createdAt: '2025-12-01T10:30:00.000Z' updatedAt: '2026-03-15T14:30:00.000Z' Error400: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: invalid_request message: The request body is malformed or missing required fields. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error401: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: missing_api_key message: No Authorization header provided. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error403: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: forbidden message: Your organization is not enabled for this action. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error404: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: not_found message: The requested resource was not found. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error409: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: quote_expired message: The quote has expired. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error429: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: rate_limited message: 'Rate limit exceeded: 1000 requests per minute. Retry in 23 seconds.' requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error500: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: internal_error message: An unexpected server error occurred. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 AuthorizationType: type: string enum: - LOA description: >- Type of cross-org authorization. Today the only value is `LOA` (Letter of Authorization), which lets the authorized organization act on the granter's behalf via the platform API when the `Nxos-On-Behalf-Of` header is set. AuthorizationStatus: type: string enum: - PENDING - ACTIVE - REVOKED description: >- Lifecycle status of an authorization grant. - `PENDING` — Row exists, the granter has not signed yet. The authorized org cannot act on the granter's behalf. - `ACTIVE` — Granter has signed (`signedAt` is set). The authorized org may act on the granter's behalf when the `Nxos-On-Behalf-Of` header is set. - `REVOKED` — Previously active or pending, then revoked by either party. Kept for audit; never reverts to `ACTIVE`. dateTimeString: type: string description: ISO 8601 timestamp string. ErrorBody: type: object required: - code - message - requestId properties: code: allOf: - $ref: '#/components/schemas/ErrorCode' description: Machine-readable error code. message: type: string description: Human-readable error message. requestId: type: string description: Unique identifier for this request, useful for debugging. ErrorCode: type: string enum: - missing_api_key - authentication_failed - invalid_api_key - forbidden - not_found - organization_not_found - account_not_found - quote_not_found - beneficiary_not_found - transaction_not_found - funding_method_not_found - authorization_not_found - nxosnet_handle_not_found - quote_expired - quote_already_used - beneficiary_already_archived - beneficiary_not_archived - beneficiary_blocked - nxosnet_not_enabled - nxosnet_handle_taken - chain_send_failed - idempotency_key_in_use - idempotency_request_in_flight - invalid_request - insufficient_funds - validation_error - share_token_invalid - verification_import_unsupported - rate_limited - webhooks_unavailable - internal_error description: All possible error codes returned by the API. ````