Rotating API keys without downtime
Why Rotate Keys
Regular key rotation limits the blast radius of a compromised key. ComplianceGrid supports up to 2 active keys per environment, enabling zero-downtime rotation.
Rotation Process
### Step 1: Create a New Key
In the Developer Portal (Dashboard → Developer → API Keys), click Create API Key to generate a new key in the same environment. You now have two active keys.
### Step 2: Update Your Services
Deploy the new key to your services. Both the old and new keys will work simultaneously during this transition period. Update environment variables, secrets managers, and CI/CD pipelines.
### Step 3: Verify the New Key
Confirm the new key works by monitoring your API responses for 200 status codes. Check your usage dashboard to see requests flowing through the new key.
### Step 4: Revoke the Old Key
Once all services are using the new key, revoke the old one via the Developer Portal. Any requests using the old key will immediately receive 401 errors.
Automating Rotation
For automated rotation, use the Admin API to programmatically manage keys:
# Create a new key
curl -X POST https://api.compliancegrid.ai/v1/developer/keys \
-H "Authorization: Bearer $CG_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "production-rotated-2026-02", "environment": "production"}'
# Revoke the old key after migration
curl -X POST https://api.compliancegrid.ai/v1/developer/keys/OLD_KEY_ID/revoke \
-H "Authorization: Bearer $CG_TOKEN"Recommended Rotation Schedule
- Every 90 days for production keys
- Every 180 days for sandbox keys (lower risk)
- Immediately if a key is suspected to be compromised
Was this article helpful?