API Key Rotation

API Key Rotation

Seamless key rotation with zero-downtime grace period.

• Rotate endpoint — generates a new key while the old key continues to work during a grace period
• Grace period — old key remains valid for 24 hours after rotation, then stops working automatically
• Key linking — rotated keys are linked to their replacement for audit trail
• Double-rotation protection — a key that is already being rotated cannot be rotated again
• Auth middleware — automatically rejects keys whose grace period has expired
• Full audit logging on all rotation events