diff --git a/app/controllers/api/internal/revocations_controller.rb b/app/controllers/api/internal/revocations_controller.rb
new file mode 100644
index 0000000..757c514
--- /dev/null
+++ b/app/controllers/api/internal/revocations_controller.rb
@@ -0,0 +1,34 @@
+module Api
+  module Internal
+    class RevocationsController < ApplicationController
+      def create
+        token = params[:token]
+
+        return head 400 unless token.present?
+
+        admin_api_key = AdminApiKey.active.find_by(token:)
+
+        return render json: { success: false } unless admin_api_key.present?
+
+        admin_api_key.revoke!
+
+        user = admin_api_key.user
+
+        render json: {
+          success: true,
+          owner_email: user.email_addresses.first&.email,
+          key_name: admin_api_key.name
+        }.compact_blank
+      end
+
+      private def authenticate!
+        res = authenticate_with_http_token do |token, _|
+          ActiveSupport::SecurityUtils.secure_compare(token, ENV["HKA_REVOCATION_KEY"])
+        end
+        unless res
+          redirect_to "https://www.youtube.com/watch?v=dQw4w9WgXcQ", allow_other_host: true
+        end
+      end
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index ab75269..8fa9a12 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -217,6 +217,7 @@ Rails.application.routes.draw do
     end
 
     namespace :internal do
+      post "revoke", to: "revocations#create"
       post "/can_i_have_a_magic_link_for/:id", to: "magic_links#create"
     end
   end