When a user is deactivated, their API key/keys still stay set as active=true.

Such discrepancy may cause undo confusion/alarm as it could be understood incorrectly when doing a security review or a data incident situation check, for example.

A possible approach here may be to set a new message/note on the API keys page that will indicate which users are actually deactivated, therefore stating their API calls are not actually usable at the time.

For users who obtain and check API key data using the "rh/apikeys" API call - an additional field can be added to the API call results that describes the status of the users - whether they are an active or a deactivated user at the moment. As deactivated users cannot use their API keys to run calls by default.