id is optional if already specified in header

app/controllers/user_api_keys_controller.rb

@@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController
   end
 
   def revoke
-    revoke_key = find_key
+    revoke_key = find_key if params[:id]
+
     if current_key = request.env['HTTP_USER_API_KEY']
       request_key = UserApiKey.find_by(key: current_key)
+      revoke_key ||= request_key
       if request_key && request_key.id != revoke_key.id && !request_key.write
         raise Discourse::InvalidAccess
       end
     end
 
+    raise Discourse::NotFound unless revoke_key
+
     revoke_key.update_columns(revoked_at: Time.zone.now)
 
     render json: success_json