API Key Expiration
Key expiration automatically invalidates your API key after a set period, enforcing regular credential rotation. This feature helps meet security compliance requirements and reduces the risk of long-lived compromised credentials.
Key expiration settings are available on Pro and Mega plans. Free plan keys never expire automatically. Upgrade to access expiration controls.
Why Use Key Expiration?
Automatic key expiration provides several security benefits:
- Enforce rotation schedules - Ensure credentials are rotated on a predictable cadence without relying on manual processes
- Limit credential lifespan - Reduce the window of opportunity for compromised keys to be exploited
- Meet compliance requirements - Many security frameworks (SOC 2, PCI-DSS, ISO 27001, HIPAA) require periodic credential rotation
- Clean up forgotten keys - Automatically invalidate keys that may have been provisioned and forgotten
- Encourage good hygiene - Build credential rotation into your operational processes
Expiration and manual rotation work together. Use expiration to enforce a maximum key lifetime, and rotate manually whenever you need to (e.g., after a suspected compromise or team change).
Expiration Options
When you rotate your API key, you can choose an expiration period for the new key:
| Option | Duration | Best For |
|---|---|---|
| Never | No expiration | Production systems with manual rotation policies |
| 7 days | 1 week | Short-term testing, temporary access, demos |
| 30 days | 1 month | Development sprints, monthly rotation cycles |
| 90 days | 3 months | Quarterly compliance requirements (common for SOC 2) |
| 6 months | 180 days | Semi-annual rotation, lower-risk environments |
| 1 year | 365 days | Annual rotation policies, stable production systems |
Choosing an Expiration Period
Consider these factors when selecting an expiration period:
- Compliance requirements - Check if your industry or security framework mandates specific rotation intervals
- Operational overhead - Shorter periods mean more frequent rotations and deployments
- Risk tolerance - Shorter periods limit exposure but require more active management
- Deployment complexity - Consider how easy it is to update keys across your systems
| Scenario | Recommended Expiration |
|---|---|
| SOC 2 compliance | 90 days |
| PCI-DSS compliance | 90 days |
| General production | 6 months or 1 year |
| Active development | 30 days |
| Temporary contractor access | 7 or 30 days |
| Demo or POC | 7 days |
Setting Key Expiration
Key expiration is configured during the rotation process:
- Go to API Keys in your dashboard
- Click Rotate Key on your primary API key
- Select your desired expiration period from the dropdown
- Click Rotate Key to confirm
The new key will be generated with the selected expiration date.
The expiration countdown begins from the moment you rotate. If you select "90 days", the key expires exactly 90 days from when you clicked "Rotate Key".
Changing Expiration on an Existing Key
You cannot change the expiration date of an existing key. To change the expiration:
- Rotate to a new key
- Select the desired expiration period during rotation
- Update your applications with the new key
Monitoring Key Expiration
Your dashboard shows the expiration status of your API key with visual indicators:
| Status | Visual Indicator | Meaning |
|---|---|---|
| Never | Gray text | Key has no expiration date |
| Active | Date shown | Key is valid, shows expiration date |
| Expiring Soon | Yellow badge with days remaining | Less than 14 days until expiration |
| Expired | Red 'Expired' badge | Key has expired and no longer works |
Expiration Alerts
The dashboard provides visual warnings as your key approaches expiration:
- 14 days before - Yellow "expiring soon" indicator appears
- 7 days before - More prominent warning
- On expiration - Red "Expired" badge, key stops working
APIVerve doesn't currently send email notifications before expiration. Set calendar reminders based on your key's expiration date to ensure you rotate before it expires.
What Happens When a Key Expires
When your API key reaches its expiration date:
- Immediate invalidation - The key stops working at the exact expiration time
- API requests fail - All requests using the expired key receive a 401 error
- Dashboard shows expired status - Red "Expired" badge appears
- Rotation required - You must rotate to a new key to restore access
Error Response
Requests made with an expired key receive this error:
{
"status": "error",
"error": "API key has expired. Please rotate your key in the dashboard.",
"data": null
}Sub-Keys Are Not Affected
Important: Sub-keys do not inherit expiration from the primary key.
- Sub-keys continue working even if the primary key expires
- Sub-keys don't have their own expiration settings
- To revoke sub-key access, delete them individually
If your primary key expires unexpectedly, your sub-keys will still work. This can prevent complete service disruption while you rotate the primary key.
Recovering from Expired Keys
If your key has expired:
- Go to API Keys in your dashboard
- You'll see the "Expired" indicator on your key
- Click Rotate Key
- Select your new expiration period
- Confirm the rotation
- Copy the new key and update your applications
Service is restored immediately once the new key is deployed to your applications.
Minimizing Downtime
To minimize or eliminate downtime from key expiration:
- Set calendar reminders - Rotate a few days before expiration
- Use sub-keys - Sub-keys don't expire, providing a backup
- Automate deployments - Have a quick process to push new keys
- Monitor your dashboard - Check expiration status regularly
Compliance Considerations
Key expiration helps meet various compliance requirements:
SOC 2
SOC 2 Trust Services Criteria often require:
- Periodic rotation of authentication credentials
- Documentation of credential lifecycle management
- 90-day rotation is a common benchmark
PCI-DSS
PCI-DSS Requirement 8 addresses credential management:
- Requirement 8.2.4: Change user passwords/passphrases at least once every 90 days
- API keys used in payment processing should follow similar guidelines
ISO 27001
ISO 27001 Annex A.9 covers access control:
- Regular review and update of access credentials
- Documented credential management procedures
HIPAA
HIPAA Security Rule (45 CFR 164.312) requires:
- Unique user identification
- Automatic logoff mechanisms
- Regular credential review and rotation supports compliance
Keep records of your key rotation schedule and actual rotations for compliance audits. Your dashboard's analytics show when keys were rotated.
Best Practices
Planning
- Choose based on compliance - If you have regulatory requirements, use the shortest required period
- Document your policy - Write down your chosen expiration period and rotation procedures
- Align with other credentials - Consider matching expiration with other credential rotation schedules
Operations
- Rotate before expiration - Don't wait until the last day; rotate with a buffer
- Test rotation process - Practice your rotation procedure before you need it urgently
- Use environment variables - Store keys in environment variables for easy updates
- Automate where possible - Script your key deployment to reduce manual steps
Monitoring
- Check dashboard weekly - Regular checks catch upcoming expirations
- Set multiple reminders - Calendar alerts at 14 days, 7 days, and 3 days before
- Monitor for 401 errors - Sudden 401 spikes may indicate an expired key
Expiration vs. Never Expire
When to use each approach:
Use Expiration When
- You have compliance requirements mandating rotation
- You want to enforce regular credential hygiene
- You're providing temporary access
- Your deployment process makes rotation easy
- You want automatic invalidation of old credentials
Use "Never" When
- You have a manual rotation schedule you trust
- Rotation is operationally complex
- You're in early development and frequently rotating anyway
- You use sub-keys with scoping for access control instead
Even with "Never" expiration, you should still rotate periodically. Expiration is a safety net, not a replacement for good security practices.
Go to your API Keys dashboard and rotate your key to set an expiration period. See Key Rotation for the full rotation process.