Overview
Stigg allows you to rotate your API keys directly from the API keys settings page in the Stigg app. Key rotation is available for both full access keys (used in the backend) and publishable keys (used in the frontend).How key rotation works
When you rotate an API key:- A new key is created - The new key is immediately active and has no expiration date
- The old key receives an expiration date - You choose a grace period during which the old key remains valid, giving you time to update your codebase
Grace period options
During rotation, you can specify how long the old key should remain active:- Immediate (0 days) - The old key is immediately invalidated
- Up to 7 days - Available through the Stigg UI
If you need a longer grace period (up to 1 year), you can extend the key’s expiration date using the Stigg API. This is useful for organizations with longer deployment cycles or those managing multiple services.
Revoking keys
Only keys that have an expiration date can be revoked. Revoking a key is equivalent to setting its expiration to the current time, which immediately invalidates it. For default keys (keys without an expiration date), use the rotation mechanism to manage the key lifecycle. This ensures there’s always an active key for your environment.Activity logging
All key management actions are tracked in the activity logs:- Key rotation - Logged in both the specific key’s activity log and the general system logs
- Key creation - When rotation creates a new key, a separate activity log entry is created for the new key
- Expiration changes - Any modifications to key expiration dates are logged
Best practices
- Rotate keys regularly - Even if not compromised, periodic rotation reduces risk
- Use appropriate grace periods - Allow enough time to update all services using the old key
- Monitor activity logs - Review key-related activity to detect any unauthorized access
- Use environment-specific keys - Never share keys between environments (development, staging, production)