Key Rotation

Key rotation lets you replace an API key or agent token with a new one, optionally keeping the old one valid for a grace period so you can swap credentials without downtime.

Rotating an API key

Go to Dashboard → API Keys, click a key, and scroll to the Rotate section. Choose a grace period and click Rotate Key.

A new key is generated immediately. The old key either:

Expires after the grace period — both keys work during this window, giving you time to update your integrations
Is revoked immediately — if you set the grace period to 0

The new key inherits the same label and endpoint scopes as the old one.

Rotating an agent token

Go to Dashboard → Agents, click a token, and scroll to the Rotate section. Same flow — choose a grace period and click Rotate Token.

The new token keeps the same agent name and label. During the grace period, both the old and new tokens can authenticate, so you can update the agent without it going offline.

Grace periods

Option	Old key/token behavior
Immediate	Revoked instantly
15 minutes	Valid for 15 more minutes
1 hour	Valid for 1 more hour
6 hours	Valid for 6 more hours
24 hours	Valid for 1 more day
3 days	Valid for 3 more days
7 days	Valid for 7 more days

After the grace period, the old credential stops working automatically. No manual cleanup needed.

When to rotate

Scheduled rotation — rotate keys periodically as a security best practice
Compromised credentials — rotate immediately (grace period = 0) if a key leaks
Team member offboarding — rotate keys that a departing team member had access to
CI/CD updates — use a grace period so the old key works while your pipeline deploys the new one

How it works

You click Rotate on an existing key or token
A new credential is generated with the same configuration
The old credential gets an expires_at timestamp (or is revoked immediately)
Both credentials work during the grace window
After expiry, only the new credential works

The new key is shown once — copy it before closing the dialog.