Rotate API key secret
Visibility: public · internal ( OpenAPI Custom Extension: x-visibility )
Generate a new secret for an existing API key. The key ID, metadata, and role bindings remain unchanged.
By default the old secret is invalidated immediately. Use gracePeriodSeconds to keep both old and new secrets valid for a short overlap window, allowing zero-downtime rotation in distributed systems.
Regular users can only rotate keys they created. Requests targeting keys owned by other users return 404 to prevent key ID enumeration. Tenant administrators can rotate any key within the tenant.
Only active keys can be rotated. Disabled or expired keys must be re-enabled or recreated first.
Authorizations
Bearer token authentication using OAuth2/OIDC tokens
Path Parameters
API key resource identifier.
Body
Duration in seconds during which both the old and new secrets are valid. Allows distributed systems to pick up the new secret without downtime.
0 <= x <= 300120
Response
Key rotated successfully. The new secret is included in this response only and cannot be retrieved again.
API key metadata with the new secret value.
Server-generated UUID. Immutable.
Human-readable display name for the API key.
1 - 255"CI/CD Pipeline Key"
The level in the resource hierarchy this key is scoped to. Determines the resource boundary for all operations performed with this key:
- organization: key can access all projects the creating user has access to within the tenant.
- project: key is restricted to a single project.
Combined with scopeId, this defines the key's blast radius. Subject to org-level policy constraints (e.g., an org may prohibit organization-scoped keys).
organization, project "project"
Resource identifier corresponding to the scope level:
- organization scope: the organization ID (derived from the caller's tenant — must match the caller's org).
- project scope: a project ID the caller has access to.
"proj-abc123"
Current key status.
- active: Key can be used to mint tokens.
- disabled: Temporarily suspended. Can be re-enabled via PATCH.
- expired: Past expiresAt. Terminal; cannot be re-enabled.
active, disabled, expired "active"
User ID of the principal who created this key. The key's privilege ceiling is derived from this user.
"user-xyz789"
Timestamp when the key was created.
New opaque, prefixed API key secret. Store securely — cannot be retrieved again.
"plt_sk_apikey-j2k3l4_x9y8z7w6v5u4..."
Timestamp when the previous secret becomes invalid. Equal to the current time when gracePeriodSeconds is 0. Null if no previous secret existed.
Server-defined URL for this resource.
"/v1/iam/api-keys/apikey-j2k3l4"
Optional description of the key's intended use.
1024Optional role bindings that act as a privilege ceiling for the key. Effective privileges are evaluated at token-mint time, not at key creation time:
- When roles are set: effective privilege is the intersection of this list and the creating user's current roles for the key's project. If the user gains or loses roles, the key's effective privilege adjusts automatically.
- When empty or omitted: the key mirrors the creating user's full current roles for the project, expanding and shrinking as the user's roles change.
Each role must be a valid org-defined role slug. At creation and update time, every listed role must be held by the caller; however, the key remains valid if the user later loses a listed role (it simply has no effect until the user regains it).
Effective privileges are always bounded by the key's scope (organization, or project).
["viewer", "member"]Key expiration timestamp. If not set at creation, defaults to the organization's configured maximum API key lifetime. Cannot exceed the org-level maximum.
Timestamp of the last metadata change (name, roles, status).
Timestamp of the most recent secret rotation. Null if never rotated.
Timestamp of the last successful token mint using this key.
IP address from which the key was last used.
"203.0.113.42"