What happens to in-flight verifications when an API key is revoked?
Revoking an API key on Valid Email Checker stops new authentication attempts immediately, but the answer for in-flight requests is more nuanced. The exact behavior depends on whether the request is a synchronous single-email verification or an asynchronous bulk task, and on whether your code is fetching the result or just kicked it off.
Single verification already accepted
When a /verify-single request reaches the API, the very first thing the function does is look up the key by hash and check its status. If the key was active at that moment, the request goes through the rest of the pipeline — credit deduction, provider lookup, response formatting — without re-checking the key in between. So a single-email verification that has already passed the initial auth gate will complete normally and return its result, even if you revoke the key one millisecond later in another browser tab.
The next request from your application, however, gets 403 API key is suspended — see what error does the API return when the key is revoked for the exact response. There is no graceful drain or wind-down period; the new state takes effect on the very next inbound request.
Bulk verification: split brain
Bulk is more interesting because it has two phases — task creation and result polling — and each goes through the auth gate independently.
| Phase | Behavior after revocation |
|---|---|
| Task creation already accepted | The background worker keeps processing the addresses on its own schedule. The task progresses to completion as if nothing happened. |
| Task creation in flight when you revoke | If the request had not yet hit the auth check, it now fails with 403 and the task never starts. |
Polling get-results with the revoked key | Returns 403 immediately. You cannot retrieve results with that key. |
Polling get-results with a different active key | Works fine — task ownership is by user, not by the key that created it. Any active key on the same account can fetch the results. |
What credits get deducted
Credits already deducted are not refunded by revocation. Single-verify requests deduct one credit at completion (or refund if the upstream provider returns unknown), and bulk tasks deduct per address as the worker processes them. Revoking the key partway through a 50k bulk task does not stop the worker from continuing to deduct credits for the addresses it processes — because, again, the task is bound to your user account, not to the key that initiated it.
Stopping a bulk task in progress
Revoking a key is not the right tool for cancelling a bulk task. The dashboard bulk page has a Cancel button on each running task — that genuinely halts the worker and stops further credit deductions. See how to verify a list in bulk for the dashboard flow. There is no public API endpoint to cancel a bulk task remotely as of this writing; that capability is on the roadmap.
Best practice when rotating a key
- Generate the new key first and roll it out to your application.
- Verify the new key is making successful requests (check the Credits Used counter on the new key row a few minutes later).
- Only then disable or delete the old key.
Doing the steps in the opposite order causes a brief window where requests fail with 403, which is rarely what you want. The Developer page lets you hold both keys active during the swap — there is no rate-limit penalty for the overlap.
Next steps
Related questions
Still stuck? Email support