Delete a login policy

If you have login policies that you no longer need, there’s no reason to keep those policies around: not only does deleting unwanted policies reduce clutter, but it also prevents you (or another administrator) from inadvertently using one of those policies. To delete a login policy, use a Curl command similar to the following:

curl -X DELETE \ \
  -H 'Authorization: Bearer 03v-eeodppPrrHXXIx56pRLyDBaOldDxqEwI59MFCFGVuSkLRapzgmfwmEHyKWle' \
  -H 'Content-Type: application/json'

The preceding command deletes the specified login policy … provided that the policy isn’t currently assigned to an OIDC client. If the policy is assigned to an OIDC client, your API call fails and you’ll get back an error message similar to the following:


Believe it or not, this is actually a very useful error message: it contains the IDs of the OIDC clients that the policy is assigned to. In the preceding example, the policy we wanted to delete is currently assigned to two different clients (shown in red above):

  • 15e60c44-a26e-45e3-9c9a-bbb7a4fd08f0
  • fd72dfd7-3ad8-4237-a74d-013e04ae947c

Before you can delete login policy d4308c4d-f5d5-403f-bbb4-403dbdb3efe6 you must disassociate the policy from its two associated clients. And to do that, you’ll need to use the /{customer_id}/config/clients/{client_id} operation and assign the client a new login policy.


As a general rule, you don’t want to simply delete a login policy from an OIDC client: if you do that, the client will no longer be capable of assisting with user logins and registrations. Instead of deleting the login policy from the client, replace the old login policy with a new one.