Batch Delete Sessions
Bulk soft-delete User Verification (KYC) sessions by their numeric session_number, or wipe every KYC session in your application with delete_all: true.
session_number is the human-friendly incrementing counter shown in the Console session list and returned as session_number by the create-session and decision endpoints — it is not the session_id UUID. To delete a session by UUID — or to delete a Business Verification (KYB) session, which this endpoint never touches — use DELETE /v3/session/{sessionId}/delete/ instead.
Each deleted session gets exactly the same treatment as the single-session delete endpoint: stamped with a deletion timestamp, removed from all read endpoints, related face/liveness/face-match records soft-deleted, and all stored media moved to a quarantined storage prefix by a background job so previously issued media URLs stop resolving. Database records are retained internally but become unreachable through the API; blocklist entries are not removed; no webhook is emitted; there is no undo.
Selection semantics:
- Entries in
session_numbersthat do not match a live KYC session in your application — unknown numbers, already-deleted sessions, or sessions owned by another application — are silently skipped. There is no per-item failure report: the endpoint returns204whether it deleted all, some, or none of the listed sessions. - Validation failures (a non-numeric entry, an empty list, or neither
session_numbersnordelete_allprovided) reject the whole request with400and delete nothing. - All deletions run inside a single database transaction.
- There is no documented cap on the list length; the shared write rate limit (below) is the practical bound.
Idempotency: fully idempotent — repeating the same request returns 204 again (already-deleted numbers are skipped).
delete_all: true — destructive: soft-deletes every non-deleted KYC session in the application; session_numbers is ignored when set. There is no confirmation step and no undo.
Authentication: API key in the x-api-key header. Missing or invalid credentials return 403 ({"detail": "You do not have permission to perform this action."}) — this API never returns 401.
Rate limit: shared write budget of 300 requests/min per API key across all POST/PATCH/DELETE endpoints; exceeding it returns 429.
This endpoint accepts API keys only — Business Console user Bearer tokens are rejected with 403 (unlike the single-session delete, which accepts both).
Authorizations
Body
Numeric session_number values of the KYC sessions to soft-delete, as digit-only strings (JSON numbers are also accepted and coerced). Required unless delete_all is true; an empty list returns 400. Any non-digit entry rejects the whole request with 400 (unless delete_all is true, in which case validation is skipped and the entries are ignored). Numbers that do not match a live session in your application are silently skipped.
1^[0-9]+$When true, every non-deleted KYC session in the calling application is soft-deleted and session_numbers is ignored. Defaults to false. Irreversible — there is no confirmation step.
false
Response
Request accepted and all matching sessions soft-deleted. Empty body. Returned even when some or all session_numbers matched nothing (unknown or already deleted) — there is no per-item report.