DELETE /v1/delete
Zeroize a user's stored embedding and revoke any active JWTs for that
user_id. GDPR Article 17 and CCPA right-to-erasure compliant.
Idempotent: deleting an already-deleted user returns 200 with the original
deletion timestamp.
Request
DELETE /v1/delete
Authorization: Bearer lorica-prod-...
Content-Type: application/json
{
"user_id": "usr_4Z9X2fK8mPq"
}Body parameters
| Field | Type | Required | Description |
|---|---|---|---|
user_id | string | yes | The user to delete. |
Response — 200 OK
{
"user_id": "usr_4Z9X2fK8mPq",
"deleted_at": 1720123456,
"embedding_zeroized": true,
"jwts_revoked": 3
}What "zeroized" means
The encrypted embedding row in the database is overwritten with random bytes, then the row is dropped. The per-tenant encryption key remains — other users under the same tenant continue to function. There is no soft-delete; the embedding is unrecoverable once this call returns.
What about derived data
Active JWTs that reference this user_id are added to a
revocation set checked on every JWT signature validation against the
Lorica audit endpoint. Local JWT validation in your backend continues
to succeed for the JWT's natural 60-second lifetime — coordinate
revocation with your application logic if your verify-to-execute window
is longer.