POST /admin/migrations/:id/items/:itemId/reject
Reject a migration item. The item’s encrypted value is immediately zeroed. Auth:migration_reviewer permission + a recent step-up verification (5-minute window)
Step-up is enforced server-side: the request carries no step-up token or header. The signed-in user must have completed a step-up re-authentication (TOTP via POST /auth/2fa/verify-step-up, passkey via POST /auth/passkey/verify-step-up, or the email fallback POST /auth/step-up/email-challenge then POST /auth/step-up/verify-email) within the last 5 minutes. If no recent verification exists, this endpoint returns 403 { "error": "Recent step-up verification required for this action", "requires_step_up": true, "max_age_minutes": 5 }.
Request body
Response
409 if the item is not in pending_review status.