Quarantine
When an incident requires removing a user’s access immediately — credentials compromised, employee terminated, suspicious activity flagged by the SOC — Arrakis composes a sequence of admin API calls against each tool’s vendor console, and pushes a corresponding block to the endpoint via MDM. This page documents what the verified API actions actually do (and do not do), and how they combine with the MDM-side block to constitute a complete quarantine.
What Quarantine actually is
Quarantine is a composite action: API key revocation, plus workspace and project removal, plus organization-level user deletion, plus an MDM-side block on the endpoint. It is not a single “kill switch”, because no upstream vendor publishes a session-termination API. The composite is the most that can be done with the surfaces the vendors expose.
Arrakis runs the composite from the platform when an admin clicks Quarantine on a user. The MDM-side block is the part that provides instant local enforcement; the vendor-API actions revoke long-lived credentials and remove the user from the org so that subsequent re-auth attempts fail. The two halves are issued together — Arrakis enforces that both a vendor admin credential and an MDM credential are configured before any Quarantine action can run.
What the vendors do NOT publicly document
This section is deliberately prominent. The Quarantine composite has gaps that are inherent to the vendor APIs, not to Arrakis, and customer security teams must understand them before relying on Quarantine as their incident response control.
- No vendor publishes a “kill all active sessions” API. Anthropic, Cursor, and OpenAI all expose user-removal and key-revocation endpoints. None of the three documents an endpoint that immediately invalidates an in-progress OAuth session running on the developer’s machine.
- Anthropic API keys persist after user removal. Per the Anthropic Admin API documentation , API keys are scoped to the organization, not the individual user. Quarantine must explicitly enumerate keys by
created_by_user_idand deactivate each —DELETE useralone does not revoke them. - None of the three vendors publishes granular OAuth-style scopes for admin actions. Quarantine requires a single full org-admin credential per vendor. This is inherent to the vendor APIs, not a choice Arrakis makes.
Where vendor docs are silent on a behavior — for example, whether a DELETE user call cascades to active OAuth sessions — this page says so explicitly. For each item below labeled “verify with vendor support”, the customer should confirm cascade behavior with their TAM at the vendor before relying on it for incident response.
Per-vendor composite actions
Anthropic (Claude Code, Claude Cowork, Claude Desktop)
Required Arrakis credential. An Admin API key (sk-ant-admin...) issued by an Anthropic org admin. There are no granular scopes; this single key carries full org-admin authority.
Composite, in order:
- Enumerate the user’s keys:
GET /v1/organizations/api_keys?created_by_user_id={user_id}&status=active. - For each key returned:
POST /v1/organizations/api_keys/{api_key_id}with body{"status":"inactive"}. - For each workspace the user belongs to:
DELETE /v1/organizations/workspaces/{workspace_id}/members/{user_id}. - Remove the user from the org:
DELETE /v1/organizations/users/{user_id}. - (Optional, if the customer’s tenant is entitled to the Compliance API) pull the Activity Feed for forensics.
Cited references:
- Admin API overview: https://platform.claude.com/docs/en/administration/administration-api
- API key revocation: https://platform.claude.com/docs/en/api/admin-api/apikeys/update-api-key
- User removal: https://platform.claude.com/docs/en/api/admin-api/users/remove-user
- Workspace member removal: https://platform.claude.com/docs/en/api/admin-api/workspace_members/delete-workspace-member
- List API keys: https://platform.claude.com/docs/en/api/admin-api/apikeys/list-api-keys
- List users: https://platform.claude.com/docs/en/api/admin-api/users/list-users
- Claude Code IAM (credential storage): https://code.claude.com/docs/en/iam
What is NOT verified. Whether DELETE /v1/organizations/users/{user_id} cascades to active Claude.ai web sessions, Claude Desktop OAuth, Claude Code OAuth, or CLAUDE_CODE_OAUTH_TOKEN long-lived tokens is not in public Anthropic documentation. There is no documented OAuth token revocation endpoint for Pro / Max / Team subscription tokens used by Claude Code and Claude Desktop, and no documented revocation path for CLAUDE_CODE_OAUTH_TOKEN. Org admins additionally cannot be removed via API per the Admin API FAQ. Verify cascade behavior with Anthropic support or your TAM before relying on it.
Cursor
Required Arrakis credential. A Cursor admin API key issued by a team admin. Authentication is HTTP Basic with the key as username. There are no granular scopes.
Composite, in order:
- Pull recent activity for forensics:
GET /teams/audit-logs. - (Optional soft-stop while staging removal)
POST /teams/user-spend-limitwith the target user_id and a limit of0. - Remove the user from the team:
POST /teams/remove-member.
Cited references:
- Cursor admin API: https://cursor.com/docs/account/teams/admin-api
What is NOT verified. Cursor publishes no session-termination endpoint and no OAuth token revocation endpoint. The local IDE may continue to function on cached credentials until its next auth check; the MDM-side block is the only verified instant kill on the endpoint. The Cursor audit-log event-schema documentation page was not retrievable during research; verify event names with Cursor support before alerting rules hardcode them.
OpenAI Codex (via the OpenAI Admin API)
Required Arrakis credential. An Admin API key (sk-admin-...) issued by an OpenAI org Owner. Org-wide; no granular scopes.
Composite, in order:
- Pull recent activity for forensics:
GET /organization/audit_logs?effective_at[gte]=...&actor_emails[]=user@co. - For each project the user belongs to:
- Enumerate project API keys:
GET /organization/projects/{project_id}/api_keys. - Delete any key owned by the target user_id:
DELETE /organization/projects/{project_id}/api_keys/{api_key_id}.
- Enumerate project API keys:
- For each project:
DELETE /organization/projects/{project_id}/users/{user_id}. - Remove the user from the org:
DELETE /organization/users/{user_id}. - If SCIM is the source of truth for identity, deprovision the user in the IdP — the change flows down via
is_scim_managedon the OpenAI user record.
Cited references:
- OpenAI Admin API: https://developers.openai.com/api/docs/api-reference/admin
- Audit logs: https://developers.openai.com/api/docs/api-reference/audit-logs
What is NOT verified. The OpenAI User object exposes role and is_scim_managed but no suspend or disable state — Quarantine is DELETE. The audit log records logout.succeeded events but OpenAI does not document an admin-initiated logout call. Time-to-effect of DELETE /organization/users/{user_id} on active Codex CLI / IDE sessions is undocumented. There is no documented OAuth token revocation API for the Codex CLI or IDE distinct from project API key deletion. Verify cascade behavior with OpenAI support.
The MDM block (instant kill)
The vendor APIs above revoke long-lived credentials and remove the user from the org. They do not provably terminate an in-progress session running on the developer’s machine. For instant local enforcement, Arrakis pushes a Quarantine policy via the customer’s MDM that does one or both of:
- Block Claude Code, Cursor, and Codex from launching on the endpoint.
- Remove the OAuth credential file from the endpoint so any subsequent launch fails to authenticate.
The exact payload depends on the customer’s quarantine policy. This MDM-side push is the only verified instant kill across all three tools. See MDM Sync → Live policy push for how Arrakis publishes the Quarantine profile to the fleet, and the per-MDM force-sync caveats that determine how quickly endpoints actually receive it.
Cross-vendor capability matrix
| Capability | Anthropic | Cursor | OpenAI |
|---|---|---|---|
| Remove user from org via API | Yes | Yes | Yes |
| Disable / suspend (non-destructive) | No | No | No |
| Revoke API key via API | Yes (status: inactive) | N/A — no end-user API keys | Yes (DELETE) |
| Remove from workspace / project | Yes | Via groups | Yes |
| Documented session-kill / OAuth revoke | No | No | No |
| Audit log API | Compliance API / Activity Feed | GET /teams/audit-logs | GET /organization/audit_logs |
| Granular admin scopes | No | No | No |
Required Arrakis-side configuration
For Quarantine to work end-to-end the customer must provide Arrakis with the following.
- Anthropic. An Admin API key (
sk-ant-admin...), pasted into the Arrakis platform under Settings → Integrations → Anthropic. - Cursor. A Cursor admin API key, pasted into Settings → Integrations → Cursor.
- OpenAI. An Admin API key (
sk-admin-...), pasted into Settings → Integrations → OpenAI. - MDM live-push credential. The same credential used for ongoing policy management, plus the optional force-sync permission so the Quarantine MDM payload reaches the endpoint within seconds rather than waiting for the next regular check-in. See MDM Sync → Live policy push.
Arrakis enforces a strict ordering rule: any Quarantine action requires both a vendor admin credential AND an MDM credential to be present, so the API revocation and the endpoint block are always issued together. If either credential is missing, the Quarantine button is disabled in the platform.
Cross-references
- MDM Sync & Change Management — including Live policy push
- Offboarding — full tenant disconnect (Quarantine is per-user)
- IdP Integration — group-based policy includes a “Quarantined users” group