Delete user

DELETE https://app.speybooks.com/api/v1/admin/users/{id}

Permanently delete a user and all associated data. Implements GDPR Article 17 (Right to be Forgotten). This operation is irreversible.

Confirmation

Requires confirm: "DELETE" (literal string) and a reason (minimum 5 characters) in the request body.

Safety Checks

Cannot delete yourself (SELF_DELETE)
Cannot delete admin users (CANNOT_DELETE_ADMIN)

Cascade Delete (Transaction)

Deletes in dependency order within a single transaction:

sessions
audit_log (entries by this user)
admin_impersonation_sessions (as target)
user_organisations
users

Side Effects

Writes USER_DELETED_GDPR to admin_audit_log with the deleted email and name for compliance records

Note: the user's organisation is not deleted. If the organisation should also be removed, use the delete organisation endpoint separately.

Path parameters

id string required

User ID to permanently delete.

Response

200 User permanently deleted (GDPR). All sessions, audit entries, and memberships removed.

Show response fields

message string

Error codes

400 Cannot delete yourself or admin users.

404 User not found.

Request DELETE /v1/admin/users/{id} curl

curl -X DELETE https://api.speybooks.com/v1/admin/users/12 \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"confirm": "DELETE", "reason": "GDPR erasure request received 2026-02-19"}'

Response 200

{
  "success": true,
  "data": {
    "message": "User permanently deleted"
  }
}