Comment by nomel

> Where would you type DELETE to confirm?

Call me crazy, but that's why you wouldn't expose it as an API. Have the API mark it for deletion, where it's effectively taken offline, but then require that they go through a web portal, with clear human intent, to actually delete it. Requiring proof of intent, to do such destructive operations, is all so incredibly basic that it really shows the whole industry just constantly re-invented, with no memory whatsoever.

But, to answer your question, you could have it return a token that must be presented again as a confirmation, performed in a way that's only present for that specific API call, to at least prove human intent was part of the automation that's calling it.