Rotate an API key: revoke it and mint a replacement with the same name, scopes, and expiry. The old secret stops working immediately; the new secret is returned once.
POST
Secret API key operationId: rotate/v1/api-keys/{id}/rotate Authorization
Server-to-server. Send a secret key as a Bearer token plus the x-application-id header.
Path parameters
idstring<uuid> requiredAPI key id
Responses
200 Rotated (new secret shown once)
{
"data": {
"active": false,
"created_at": "2026-01-15T09:30:00Z",
"expires_at": "2026-01-15T09:30:00Z",
"id": "018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f",
"last_used_at": "2026-01-15T09:30:00Z",
"name": "string",
"revoked_at": "2026-01-15T09:30:00Z",
"scopes": [
"string"
],
"secret": "string"
},
"error": {
"code": "string",
"message": "string"
},
"meta": {
"timestamp": "string"
},
"success": false
} 404 Not found
409 Already revoked
Request
curl -X POST "http://localhost:8080/v1/api-keys/018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f/rotate" \Try it
live requestPOST
http://localhost:8080/v1/api-keys/018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f/rotate