> ## Documentation Index > Fetch the complete documentation index at: https://docs.stigg.io/llms.txt > Use this file to discover all available pages before exploring further. # How can I rotate my API key? API key rotation is an essential security practice that limits the blast radius of a compromised key. ## How key rotation works When you rotate an API key: 1. **A new key is generated** — it is immediately active 2. **The old key receives an expiration date** — it remains valid for the grace period you select, giving you time to update your services without downtime ## Grace period options | Option | Description | | --------------- | -------------------------------------- | | **Now** | The old key is immediately invalidated | | **In 1 hour** | | | **In 24 hours** | | | **In 3 days** | | | **In 7 days** | | If you need more time after rotation has started, you can extend the grace period from the key's context menu using **Change grace period**. ## Revoking keys Revocation immediately invalidates a key (equivalent to setting the expiration to now). All requests using the revoked key return `401 Unauthorized`. Default keys must be rotated before they can be revoked — this ensures there is always an active key for your environment. ## Activity logging All key lifecycle events are captured in the activity log: * Key created * Key rotated * Grace period changed * Key revoked Events appear both in the key's own **Activity** tab and in the global **Logs > Activity** view. For API-triggered actions, the actor is recorded as the API key ID. ## Best practices 1. **Rotate keys regularly** — periodic rotation reduces risk even if a key has not been compromised 2. **Use appropriate grace periods** — allow enough time to update all services using the old key 3. **Monitor activity logs** — review key events to detect unexpected access 4. **Use environment-specific keys** — never share keys across environments For full details on managing API keys, including scoped keys and client-side security: