POST /api/v1/projects/{project_id}/api-keys/{id}/rotateRequires api_keys.write permission.
Rotating a key immediately invalidates the previous secret. Any services using the old key will stop working as soon as this request completes. Update your configuration with the new secret before rotating in production.
Path parameters UUID of the API key to rotate.
Request body New ISO 8601 expiry datetime for the rotated key. Pass null for a non-expiring key. Omit to keep the current expiry.
Response Updated metadata for the rotated API key. UUID of the scoped environment.
Key scope: server, sdk, or stream.
Updated short prefix for the new secret.
ISO 8601 timestamp of the last request, or null.
IP address of the last request, or null.
Expiry timestamp for the new key, or null.
Always null for an active rotated key.
ISO 8601 creation timestamp of the original key.
ISO 8601 timestamp of the rotation.
The new plaintext API key secret. Shown only once — store it immediately.
Errors Status When 400Request body is invalid 401Missing or invalid Bearer token 403Caller lacks api_keys.write permission 404Project or API key not found
Example curl -X POST http://localhost:8080/api/v1/projects/p1b2c3d4-e5f6-7890-abcd-ef1234567890/api-keys/k1b2c3d4-e5f6-7890-abcd-ef1234567890/rotate \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{}'
{ "api_key" : { "id" : "k1b2c3d4-e5f6-7890-abcd-ef1234567890" , "project_id" : "p1b2c3d4-e5f6-7890-abcd-ef1234567890" , "environment_id" : "e1b2c3d4-e5f6-7890-abcd-ef1234567890" , "name" : "Production Server Key" , "scope" : "server" , "key_prefix" : "tgl_srv_def456" , "last_used_at" : "2026-03-20T08:00:00Z" , "last_used_ip" : "203.0.113.42" , "expires_at" : null , "revoked_at" : null , "created_at" : "2026-01-15T09:00:00Z" , "updated_at" : "2026-03-21T10:00:00Z" }, "secret" : "tgl_srv_def456xyz789..." }