That segment is for v1 key requests (bound to API ID and not policy ID), your developer object should have a
subscriptions element (your key request will have a version flag for "v2" if you look at the ones the portal generates, this is really important):
Reasoning The portal grants access to policies not APIs, because a policy can encapsulate ACL for multiple managed APIs (there is a difference between what is published and what is managed, you may not want to expose all your microservices, but instead bundle a group of microservices as a single "API" for the developer portal, we moved to the
v2 version of key requests and catalogue entries a long time ago)
The item on the left is the policy ID that the token is bound to and the right element is the hashed token ID.
Revoke the key for a developer object:
We also want the API Call to update the developer record in the portal so you can manage their keys / usage and subscriptions from there so this call is preferable to just deleting the token as the references will not be removed in the call you suggest.