Delete Session
Soft-delete a single verification session — User Verification (KYC) or Business Verification (KYB) — by its session_id. The id is resolved against KYC sessions first, then KYB sessions, so both kinds are deleted through this one URL.
What happens on deletion:
- The session is stamped with a deletion timestamp and immediately disappears from every read endpoint —
GET /v3/session/{sessionId}/decision/returns404andGET /v3/sessions/stops listing it. - For KYC sessions, related face, liveness, and face-match records are soft-deleted together with the session.
- A background job then moves every stored media file owned by the session to a quarantined storage prefix: document front/back photos (full, cropped, and privacy-blurred variants), document-capture videos, portrait crops, NFC chip portrait and signature images, face reference images, liveness videos, face-match source/target images, Proof of Address documents, and any extra uploaded files (KYC); uploaded company documents and extra files (KYB). Previously issued media URLs (
https://<media-host>/...) stop resolving once the move completes — the move is asynchronous, so a URL issued just before deletion may keep working for a short window after the204.
What is retained: the underlying database records (decision, extracted data, audit events) are kept internally, marked with the deletion timestamp — they become unreachable through the API but are not erased at the moment of the call. Blocklist entries created from this session (face or document) are not removed — manage those with the blocklist endpoints. Credits already consumed are not refunded.
Irreversible: there is no restore/undelete endpoint.
Side effects: no webhook is emitted for deletions.
Idempotency: not idempotent at the HTTP level — the first call returns 204; repeating it returns 404 because the session no longer resolves.
Authentication: send your application’s API key in the x-api-key header; the session must belong to that application. Console user access tokens (Authorization: Bearer ...) may also call this endpoint when they carry the delete:sessions permission. Authentication and permission failures both return 403 — this API never returns 401.
Rate limit: shared write budget of 300 requests/min per API key across all POST/PATCH/DELETE endpoints; exceeding it returns 429.
To bulk-delete KYC sessions by their numeric session_number, use POST /v3/sessions/delete/ instead.
KYC and KYB support
Works for both User Verification (KYC) and Business Verification (KYB) sessions. Thesession_id is looked up in both tables; the same delete behavior applies to both.
Behavior
- Session is deleted —
deleted_atis set. The row remains in the database for your configured data retention window, then is hard-deleted. - Associated feature records (ID verifications, registry checks, documents, etc.) are deleted alongside.
- Links to the parent entity (User or Business) are preserved in history but the session itself no longer appears in list responses.
Examples
- Delete a User Verification (KYC) session
- Delete a Business Verification (KYB) session
204 No Content.Permission
Requiresdelete:sessions. The same permission covers both User Verification (KYC) and Business Verification (KYB) sessions.
Batch delete
For bulk operations, usePOST /v3/sessions/delete/ — accepts a list of session IDs of either kind.
Related
Authorizations
Path Parameters
UUID (session_id) of the User Verification (KYC) or Business Verification (KYB) session to delete, as returned when the session was created. Must be a canonical hyphenated UUID — a non-UUID value does not match the route and returns 404.
"11111111-2222-3333-4444-555555555555"
Response
Session soft-deleted. Empty body. The media quarantine continues asynchronously after the response.