Appearance
Terminate
Permanently deletes a user account using either soft or hard delete strategy. This is an irreversible operation that requires authentication.
Endpoint
POST /auth/terminateAuthentication: Tenant authentication and user authentication required
Description
The terminate endpoint allows authenticated users to delete their account permanently. The endpoint supports two deletion strategies:
- Soft delete (
suspended): The account is marked as suspended and hidden from the system, but the data is retained. This allows for potential account recovery in the future. - Hard delete (
terminated): The account is permanently deleted and marked as terminated. This is a more permanent deletion strategy.
After successful termination:
- The user's status is transitioned to
suspended(soft delete) orterminated(hard delete) - The operation returns a success response
- If the account is terminated (hard delete), it can no longer be used for authentication
Important: After a successful termination, the application must immediately discard and stop using the access token. Terminated accounts (hard delete) cannot be used for any API requests.
Request
Body
json
{
"reason": "User requested account deletion",
"strategy": "soft"
}| Parameter | Type | Required | Description | Constraints |
|---|---|---|---|---|
reason | string | Yes | Reason for account termination | Non-empty string |
strategy | string | Yes | Deletion strategy | Must be "soft" or "hard" |
Response
Status Code: 201 Created
json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"data": {
"success": true
}
}| Field | Type | Description |
|---|---|---|
success | boolean | Always true on success |
Rate Limiting
Rate limiting is applied to prevent abuse and ensure system stability. The terminate endpoint has the following rate limits:
| Limit Type | Rate | Window |
|---|---|---|
| Per IP | 10 requests | 1 hour |
When rate limits are exceeded, the API returns a 429 Too Many Requests status code.
For information about rate limit headers, see Rate Limiting in the overview.
Errors
For detailed explanations of all error codes, see the Error Codes page where you can find all system errors.
400 Bad Request - Validation Error
Occurs when the request body fails validation. Common causes include missing required fields or invalid strategy value.
json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"error": {
"message": "The provided request data is invalid.",
"code": "VALIDATION_ERROR",
"status": 400,
"validation": {
"reason": "Required",
"strategy": "Invalid enum value. Expected 'soft' | 'hard', received 'invalid'"
}
}
}| Field | Error Message | Cause |
|---|---|---|
reason | Required | Reason is missing |
strategy | Invalid enum value | Strategy is not "soft" or "hard" |
403 Forbidden - Restricted Capability
Occurs when the terminate capability is restricted for the tenant or user.
json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"error": {
"message": "Capability terminate is restricted",
"code": "RESTRICTED_CAPABILITY",
"status": 403
}
}429 Too Many Requests - Rate Limit Exceeded
Occurs when the rate limit is exceeded. See Rate Limiting section for details.
json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"error": {
"message": "Too many requests",
"code": "TOO_MANY_REQUESTS",
"status": 429
}
}500 Internal Server Error
Occurs when an internal error happens during account termination. Common causes include missing terminate reason or strategy, missing user context, or other unexpected system state.
Error codes:
UNEXPECTED_STATE- Unexpected system state (e.g., missing terminate reason or strategy, missing user context)INTERNAL_SERVER- General internal server error
json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"error": {
"message": "Missing terminate reason or strategy",
"code": "UNEXPECTED_STATE",
"status": 500
}
}json
{
"meta": {
"requestId": "req-12345",
"timestamp": "2025-01-15T10:30:00.000Z"
},
"error": {
"message": "Something went wrong on our side.",
"code": "INTERNAL_SERVER",
"status": 500
}
}Notes
- The terminate endpoint requires user authentication via a valid JWT access token
- After termination, the application must delete the access token from local storage and never use it again
- Soft delete (
suspended) allows for potential account recovery, while hard delete (terminated) is permanent - Terminated accounts (hard delete) cannot be used for authentication or API requests