Skip to main content
API key rotation is an essential security practice that limits the blast radius of a compromised key.

How key rotation works

When you rotate an API key:
  1. A new key is generated — it is immediately active
  2. The old key receives an expiration date — it remains valid for the grace period you select, giving you time to update your services without downtime

Grace period options

If you need more time after rotation has started, you can extend the grace period from the key’s context menu using Change grace period.

Revoking keys

Revocation immediately invalidates a key (equivalent to setting the expiration to now). All requests using the revoked key return 401 Unauthorized. Default keys must be rotated before they can be revoked — this ensures there is always an active key for your environment.

Activity logging

All key lifecycle events are captured in the activity log:
  • Key created
  • Key rotated
  • Grace period changed
  • Key revoked
Events appear both in the key’s own Activity tab and in the global Logs > Activity view. For API-triggered actions, the actor is recorded as the API key ID.

Best practices

  1. Rotate keys regularly — periodic rotation reduces risk even if a key has not been compromised
  2. Use appropriate grace periods — allow enough time to update all services using the old key
  3. Monitor activity logs — review key events to detect unexpected access
  4. Use environment-specific keys — never share keys across environments
For full details on managing API keys, including scoped keys and client-side security:

API key management