fix(router): Take merchant ID from headers in API Key - Revoke (v2) (#8808)

AnuthaDev · web-flow · commit d164954e22ed · 2025-08-05T07:44:47.000Z
diff --git a/crates/router/src/core/api_keys.rs b/crates/router/src/core/api_keys.rs
@@ -425,18 +425,18 @@ pub async fn update_api_key_expiry_task(
 #[instrument(skip_all)]
 pub async fn revoke_api_key(
     state: SessionState,
-    merchant_id: &common_utils::id_type::MerchantId,
+    merchant_id: common_utils::id_type::MerchantId,
     key_id: &common_utils::id_type::ApiKeyId,
 ) -> RouterResponse<api::RevokeApiKeyResponse> {
     let store = state.store.as_ref();
 
     let api_key = store
-        .find_api_key_by_merchant_id_key_id_optional(merchant_id, key_id)
+        .find_api_key_by_merchant_id_key_id_optional(&merchant_id, key_id)
         .await
         .to_not_found_response(errors::ApiErrorResponse::ApiKeyNotFound)?;
 
     let revoked = store
-        .revoke_api_key(merchant_id, key_id)
+        .revoke_api_key(&merchant_id, key_id)
         .await
         .to_not_found_response(errors::ApiErrorResponse::ApiKeyNotFound)?;
 
diff --git a/crates/router/src/routes/api_keys.rs b/crates/router/src/routes/api_keys.rs
@@ -243,7 +243,9 @@ pub async fn api_key_revoke(
         state,
         &req,
         (&merchant_id, &key_id),
-        |state, _, (merchant_id, key_id), _| api_keys::revoke_api_key(state, merchant_id, key_id),
+        |state, _, (merchant_id, key_id), _| {
+            api_keys::revoke_api_key(state, merchant_id.clone(), key_id)
+        },
         auth::auth_type(
             &auth::PlatformOrgAdminAuthWithMerchantIdFromRoute {
                 merchant_id_from_route: merchant_id.clone(),
@@ -265,24 +267,25 @@ pub async fn api_key_revoke(
 pub async fn api_key_revoke(
     state: web::Data<AppState>,
     req: HttpRequest,
-    path: web::Path<(
-        common_utils::id_type::MerchantId,
-        common_utils::id_type::ApiKeyId,
-    )>,
+    path: web::Path<common_utils::id_type::ApiKeyId>,
 ) -> impl Responder {
     let flow = Flow::ApiKeyRevoke;
-    let (merchant_id, key_id) = path.into_inner();
+    let key_id = path.into_inner();
 
     Box::pin(api::server_wrap(
         flow,
         state,
         &req,
-        (&merchant_id, &key_id),
-        |state, _, (merchant_id, key_id), _| api_keys::revoke_api_key(state, merchant_id, key_id),
+        &key_id,
+        |state,
+         auth::AuthenticationDataWithoutProfile {
+             merchant_account, ..
+         },
+         key_id,
+         _| api_keys::revoke_api_key(state, merchant_account.get_id().to_owned(), key_id),
         auth::auth_type(
-            &auth::V2AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute {
-                merchant_id: merchant_id.clone(),
+            &auth::AdminApiAuthWithMerchantIdFromHeader,
+            &auth::JWTAuthMerchantFromHeader {
                 required_permission: Permission::MerchantApiKeyWrite,
             },
             req.headers(),
