Revoke a GDPR Request
Withdraw a GDPR data request the customer raised earlier. Revoking sets the request's status to revoked and stamps revokedAt. A request can only be revoked while it is still pending or processing — once it has been declined or approved it can no longer be revoked. The response carries a one-time successMessage.
Endpoint
POST /api/shop/gdpr-requests/{id}/revokeSend an empty request body.
Authentication
This endpoint requires an authenticated customer — send the storefront key and a customer Bearer token. See the Authentication page.
GDPR must be enabled
If GDPR data requests are disabled in the store's admin configuration, the endpoint returns HTTP 400 with the message "GDPR data requests are disabled. Please enable GDPR from the admin configuration." The feature has been turned off on the admin side.
Request Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | application/json |
X-STOREFRONT-KEY | Yes | Your storefront API key |
Authorization | Yes | Bearer token (customer login required) |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | integer | Yes | The request ID to revoke. |
Response Fields (200 OK)
| Field | Type | Description |
|---|---|---|
id | integer | Request ID. |
type | string | Request type: delete or update. |
status | string | Request status — revoked after a successful revoke. |
message | string | The message supplied in the request. |
email | string | Email address tied to the request. |
revokedAt | string | ISO 8601 timestamp when the request was revoked. |
createdAt | string | ISO 8601 creation timestamp. |
updatedAt | string | ISO 8601 last update timestamp. |
successMessage | string | Confirmation message — present on create / revoke / delete results. |
customer | object | The customer who owns the request. |
customer._id | integer | Numeric customer ID of the owner. |
Status Codes
| Status | Meaning |
|---|---|
200 OK | Request revoked. |
400 Bad Request | GDPR is disabled in the store's admin configuration. |
401 Unauthorized | Missing or invalid customer Bearer token. |
403 Forbidden | Missing or invalid storefront key. |
404 Not Found | The request does not exist or is not owned by the customer. |
422 Unprocessable Entity | The request is not in a pending or processing state. |

