GDPR right-to-erasure. Irreversibly anonymizes the user's PII and cascades to credentials, factors, refresh tokens, sessions, devices, memberships, and ReBAC tuples, leaving a tombstone. Emits `user.erased` (audited). Requires `users:delete`.
POST
Secret API key operationId: erase/v1/users/{id}/erase Authorization
Server-to-server. Send a secret key as a Bearer token plus the x-application-id header.
Path parameters
idstring<uuid> requiredUser id
Responses
200 Erased
{
"data": {
"deleted": false
},
"error": {
"code": "string",
"message": "string"
},
"meta": {
"timestamp": "string"
},
"success": false
} 404 Unknown user
Request
curl -X POST "http://localhost:8080/v1/users/018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f/erase" \Try it
live requestPOST
http://localhost:8080/v1/users/018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f/erase