POST /auth/deregister-pubkey

Removes a previously registered session key. After a successful deregister the key can no longer authenticate requests and its replay nonce is dropped.

Request

{
  "ownerAddress": "0xMerchant…",
  "publicKey": "0x04abc…",
  "signature": "0xWalletSig…"
}

The signature is over the canonical message:

deregister:{ownerAddressLower}:{publicKeyLowerNo0x}

This binds the request to one specific key, so a captured signature can't be replayed against a different key the merchant still wants to keep.

Response

200 OK

{
  "removed": true,
  "ownerAddress": "0xMerchant…",
  "publicKey": "0x04abc…"
}

removed: false is returned (with the same status code) when the key was not registered to begin with — the operation is idempotent.

POST /auth/deregister-pubkey

Request​

Response​

Request

Response