How key rotation works
When you rotate an API key:- A new key is generated — it is immediately active
- The old key receives an expiration date — it remains valid for the grace period you select, giving you time to update your services without downtime
Grace period options
If you need more time after rotation has started, you can extend the grace period from the key’s context menu using Change grace period.
Revoking keys
Revocation immediately invalidates a key (equivalent to setting the expiration to now). All requests using the revoked key return401 Unauthorized.
Default keys must be rotated before they can be revoked — this ensures there is always an active key for your environment.
Activity logging
All key lifecycle events are captured in the activity log:- Key created
- Key rotated
- Grace period changed
- Key revoked
Best practices
- Rotate keys regularly — periodic rotation reduces risk even if a key has not been compromised
- Use appropriate grace periods — allow enough time to update all services using the old key
- Monitor activity logs — review key events to detect unexpected access
- Use environment-specific keys — never share keys across environments
