> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Batch Delete Users

> **Hard delete** users — rows are removed permanently (including previously soft-deleted records). For everyday blocking prefer [Update User Status](#patch-/v3/users/-vendor_data-/update-status/) with `BLOCKED`. Unlike the businesses endpoint, this endpoint only accepts `vendor_data_list` or `delete_all` (no `didit_internal_id_list`).

export const AgentPromptAccordion = ({prompt, title = "AI Agent Integration Prompt"}) => {
  const [copied, setCopied] = React.useState(false);
  const handleCopy = e => {
    e.stopPropagation();
    if (!prompt) return;
    navigator.clipboard.writeText(prompt.trim()).then(() => {
      setCopied(true);
      setTimeout(() => setCopied(false), 2000);
    });
  };
  const agents = ["Claude Code", "Codex", "Cursor", "Devin", "Windsurf", "GitHub Copilot"];
  return <div className="didit-agent-card">
      {}
      <div className="didit-agent-titlebar">
        <div className="didit-agent-dots" aria-hidden="true">
          <span className="didit-agent-dot didit-agent-dot-red"></span>
          <span className="didit-agent-dot didit-agent-dot-yellow"></span>
          <span className="didit-agent-dot didit-agent-dot-green"></span>
        </div>
        <span className="didit-agent-filename">{title}</span>
        <button type="button" className={`didit-agent-copy ${copied ? "didit-agent-copy-copied" : ""}`} onClick={handleCopy} title="Copy prompt to clipboard" aria-label={copied ? "Copied!" : "Copy prompt to clipboard"}>
          {copied ? <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <path d="M3 8.5l3.5 3.5L13 4" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" />
              </svg>
              <span>Copied</span>
            </> : <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <rect x="5" y="5" width="9" height="9" rx="1.5" stroke="currentColor" strokeWidth="1.5" />
                <path d="M11 5V3.5A1.5 1.5 0 0 0 9.5 2h-6A1.5 1.5 0 0 0 2 3.5v6A1.5 1.5 0 0 0 3.5 11H5" stroke="currentColor" strokeWidth="1.5" />
              </svg>
              <span>Copy</span>
            </>}
        </button>
      </div>

      {}
      <pre className="didit-agent-body"><code>{prompt.trim()}</code></pre>

      {}
      <div className="didit-agent-footer">
        <span className="didit-agent-footer-label">Paste into</span>
        <div className="didit-agent-chips">
          {agents.map(name => <span key={name} className="didit-agent-chip">{name}</span>)}
        </div>
      </div>
    </div>;
};

<AgentPromptAccordion
  title="Batch Delete Users Prompt"
  prompt={`Goal: Hard-delete one or many Didit User entities. This is a HARD delete on the VendorUser table — the matching rows, their tag links, and their comment history are removed permanently. Per-session records (KYC sessions) live in their own tables and are NOT removed by this endpoint; manage those separately with POST /v3/sessions/delete/.

Endpoint: POST https://verification.didit.me/v3/users/delete/
Auth header: x-api-key: <DIDIT_API_KEY>
Content-Type: application/json

Request body — provide EXACTLY ONE selector (mutually exclusive):
- vendor_data_list: string[] — your own identifiers (case-insensitive after normalisation).
- didit_internal_id_list: string[] (UUIDs) — Didit's internal IDs.
- delete_all: true — wipe every user in this application. No confirmation, no undo.

curl:
curl -X POST 'https://verification.didit.me/v3/users/delete/' \\
-H 'x-api-key: YOUR_API_KEY' \\
-H 'Content-Type: application/json' \\
-d '{"vendor_data_list": ["user-123", "user-456"]}'

Response 200:
{
"deleted": <int — number of rows actually removed; excludes vendor_data values that didn't match>
}

Idempotency: re-sending the same list returns deleted: 0 after the first run (unmatched IDs are silently skipped). There is no undo.

Failure modes:
- 400 — no selector supplied. { "detail": "Provide vendor_data_list or set delete_all=true." }
- 401 — missing/invalid x-api-key.
- 403 — lacks delete:users. { "detail": "You do not have permission to perform this action." }
- 429 — rate-limited.

WARNING — delete_all: true: there is no confirmation step and no undo. Restrict to API keys you intentionally provision for batch maintenance.

When to prefer status change instead:
- For day-to-day blocking, use PATCH /v3/users/{vendor_data}/update-status/ with {"status": "BLOCKED"} — it keeps the audit trail intact while rejecting future sessions for the same identifier.

For end-to-end Didit integration, paste in the full prompt at /integration/integration-prompt.`}
/>

## Overview

Deletes one or more [User entities](/entities/users/overview). Session history, transactions, and audit logs are retained for your application's [data retention](/console/data-retention) period before hard deletion.

## When to use it

* **Right-to-be-forgotten** requests (GDPR / CCPA).
* **Clean-up** of test users during QA.
* **Deprovisioning** users removed from your own platform.

## Notes

* Accepts a list of `vendor_data` values or `didit_internal_id` values.
* Idempotent — deleting an already-deleted user is a no-op and returns success for that row.
* Returns per-row results so you can detect unknown IDs or rows that could not be deleted.
* Emits a `user.data.updated` webhook with `deleted_at` set.
* Faces, documents, and sessions linked to the user are deleted alongside and removed from the face-search index.

## Permissions

Role must grant `delete:users`. This is typically reserved for `OWNER` and `ADMIN`.

## Related

* [Data retention](/console/data-retention)
* [Audit logs](/console/audit-logs)
* [User operations](/entities/users/operations)


## OpenAPI

````yaml POST /v3/users/delete/
openapi: 3.0.0
info:
  version: 3.0.0
  title: Didit Verification API
  description: Identity verification API. Authenticate with x-api-key header.
servers:
  - url: https://verification.didit.me
security: []
tags: []
paths:
  /v3/users/delete/:
    post:
      tags:
        - Users
      summary: Batch delete users
      description: >-
        **Hard delete** users — rows are removed permanently (including
        previously soft-deleted records). For everyday blocking prefer [Update
        User Status](#patch-/v3/users/-vendor_data-/update-status/) with
        `BLOCKED`. Unlike the businesses endpoint, this endpoint only accepts
        `vendor_data_list` or `delete_all` (no `didit_internal_id_list`).
      operationId: batch_delete_users
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              description: >-
                Provide `vendor_data_list` or `delete_all: true`. When
                `delete_all` is `true` it takes precedence and
                `vendor_data_list` is ignored.
              properties:
                vendor_data_list:
                  type: array
                  items:
                    type: string
                  description: Your own identifiers to delete, matched exactly as sent.
                delete_all:
                  type: boolean
                  default: false
                  description: If `true`, deletes every user in the application.
            examples:
              Specific users:
                summary: Delete users by vendor_data
                value:
                  vendor_data_list:
                    - user-123
                    - user-456
              All users:
                summary: Wipe every user in this application
                value:
                  delete_all: true
      responses:
        '200':
          description: Users deleted. Returns the number of rows actually removed.
          content:
            application/json:
              schema:
                type: object
                properties:
                  deleted:
                    type: integer
                    description: >-
                      Number of users deleted (excludes vendor_data values that
                      didn't match anything).
              examples:
                Deleted some:
                  value:
                    deleted: 2
                Nothing matched:
                  value:
                    deleted: 0
        '400':
          description: >-
            No selector supplied (`vendor_data_list` missing/empty and
            `delete_all` not `true`). The error body is a JSON array.
          content:
            application/json:
              examples:
                Missing selector:
                  value:
                    - Provide vendor_data_list or set delete_all=true.
        '401':
          description: >-
            No credentials supplied. Requests to `/v3/users/*` paths without an
            `x-api-key` header (or `Authorization: Bearer` token) are rejected
            by the authentication middleware before reaching the API.
          content:
            application/json:
              examples:
                Missing credentials:
                  value:
                    detail: >-
                      You must be authenticated with a valid access token to
                      access this endpoint.
        '403':
          description: >-
            Invalid or revoked API key, or the key cannot delete users for this
            application. Note: on this endpoint an *invalid* key returns `403`
            (not `401`).
          content:
            application/json:
              examples:
                Forbidden:
                  value:
                    detail: You do not have permission to perform this action.
        '429':
          description: >-
            Rate limit exceeded; back off and retry after the interval indicated
            in `Retry-After`.
          content:
            application/json:
              examples:
                Rate limited:
                  value:
                    detail: Request was throttled. Expected available in 30 seconds.
      security:
        - ApiKeyAuth: []
      x-codeSamples:
        - lang: curl
          label: curl
          source: |-
            curl -X POST 'https://verification.didit.me/v3/users/delete/' \
              -H 'x-api-key: YOUR_API_KEY' \
              -H 'Content-Type: application/json' \
              -d '{"vendor_data_list": ["user-123", "user-456"]}'
        - lang: python
          label: Python
          source: |-
            import requests

            resp = requests.post(
                'https://verification.didit.me/v3/users/delete/',
                headers={'x-api-key': 'YOUR_API_KEY', 'Content-Type': 'application/json'},
                json={'vendor_data_list': ['user-123', 'user-456']},
            )
            resp.raise_for_status()
            print('deleted', resp.json()['deleted'])
        - lang: javascript
          label: JavaScript
          source: >-
            const resp = await
            fetch('https://verification.didit.me/v3/users/delete/', {
              method: 'POST',
              headers: { 'x-api-key': process.env.DIDIT_API_KEY, 'Content-Type': 'application/json' },
              body: JSON.stringify({ vendor_data_list: ['user-123', 'user-456'] }),
            });

            const body = await resp.json();

            console.log('deleted', body.deleted);
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key

````