Delete a user (GDPR Art. 17)
Hard-deletes the target user and all personally identifiable data in a single database transaction: messages, sessions, feedback, prompt_favorites, tracking, RBAC entries, and the users row. After the transaction commits, S3 objects under user_{id}/ are deleted best-effort (failure is logged but does not fail the request). Callers must be super_admin. Admins cannot delete their own account (allowSelf: false).
Authorizations
Organisation API key. Format: sk_<secret>/<keyname> — the secret portion, a literal slash, and the human-readable key name. The header exulu-api-key is accepted as an alias. A Bearer prefix is tolerated and stripped. Keys with an agent scope are only valid for the scoped agent instance.
Path Parameters
Numeric user ID.
Response
User deleted.