As far as I can tell, there’s no option to reduce the scope of an API key so that it handles deactivations, that’s not one of the options available, but a global key doesn’t work anyway. (API’s need work, IMHO.)
I don’t know where the deactivate.json code is, a search on my server doesn’t find it, so apparently it isn’t a separate file. I’m wondering if there’s something specific about this being a secondsite that isn’t correct, because it worked great on the default site.
It would not be the first problem I’ve found with secondsites, though I"m not sure if anyone ever logged the first one as a problem, it has to do with code in an nginx config file that checks to make sure the domain name in the URL is the default one, I just comment out those lines of code whenever I do a rebuild. I reported this problem in this post: