API Key Rotation
Key rotation is the practice of periodically replacing your API key with a new one. This is a critical security measure that limits the impact of compromised credentials and helps meet compliance requirements.
Why Rotate Keys?
Regular key rotation provides several important security benefits:
- Limit exposure window - If a key is compromised, rotation ensures the attacker's access is time-limited
- Reduce risk from leaks - Keys may inadvertently appear in logs, error messages, or version control history
- Meet compliance requirements - Many security frameworks (SOC 2, PCI-DSS, ISO 27001) require periodic credential rotation
- Revoke access cleanly - When team members leave or applications are decommissioned, rotating ensures old keys stop working
- Audit trail clarity - Fresh keys make it easier to track when and where credentials were provisioned
Even if you have no reason to believe your key has been compromised, regular rotation (e.g., quarterly or annually) is a security best practice that reduces your overall risk profile.
How to Rotate Your API Key
You can rotate your primary API key through the dashboard:
- Navigate to API Keys in your dashboard
- Click the Rotate Key button on your primary API key
- If you have a Pro or Mega plan, optionally select an expiration period for the new key
- Confirm by clicking Rotate Key
- Copy your new API key and update all your applications
When you rotate your key, the old key is invalidated immediately. Any requests using the old key will fail with a 401 Unauthorized error. Make sure you're ready to update your applications before rotating.
What Happens During Rotation
- A new API key is generated with the
apv_prefix - The new key is immediately active and ready to use
- The old key is permanently invalidated
- Your sub-keys remain unaffected (they continue working)
- Your subscription, usage history, and settings are preserved
Key Expiration
Pro and Mega plans include the ability to set automatic key expiration. When you rotate your key, you can choose when it should expire:
| Option | Description | Best For |
|---|---|---|
| Never | Key will not expire automatically | Production systems with manual rotation schedules |
| 7 days | Expires in 1 week | Short-term testing, temporary access |
| 30 days | Expires in 1 month | Development cycles, sprint-based rotation |
| 90 days | Expires in 3 months | Quarterly rotation schedules |
| 6 months | Expires in 6 months | Semi-annual compliance requirements |
| 1 year | Expires in 1 year | Annual rotation policies |
Key expiration settings are available on Pro and Mega plans. Free plan keys never expire automatically. Upgrade to access expiration controls.
Expiration Indicators
Your dashboard shows the expiration status of your API key:
- Never - Key does not have an expiration date
- Date with days remaining - Shows when the key will expire
- Expiring soon (yellow) - Less than 14 days until expiration
- Expired (red) - Key has expired and needs rotation
What Happens When a Key Expires
When your API key reaches its expiration date:
- All API requests using that key receive a
401 Unauthorizederror - The error message indicates the key has expired
- You must rotate to a new key to restore access
- Sub-keys continue working (they don't inherit expiration from the primary key)
{
"status": "error",
"error": "API key has expired. Please rotate your key in the dashboard.",
"data": null
}For comprehensive details on key expiration including compliance requirements (SOC 2, PCI-DSS, ISO 27001), monitoring strategies, and recovery procedures, see our dedicated Key Expiration guide.
Rotation Strategies
How you handle key rotation depends on your application architecture and deployment process.
Zero-Downtime Rotation
For production systems that can't tolerate downtime:
- Use sub-keys - Create a sub-key for each application or service
- Rotate one at a time - When rotating, create a new sub-key, deploy it, then delete the old one
- Stagger rotations - Don't rotate all keys simultaneously
Since sub-keys can be created independently, you can have the new key ready before invalidating the old one. Create the new sub-key, update your app, verify it works, then delete the old sub-key.
Scheduled Rotation
For applications with maintenance windows:
- Set a key expiration that aligns with your maintenance schedule
- Rotate the key during your maintenance window
- Update all applications with the new key
- Verify functionality before ending maintenance
Environment Variables
Store your API key in environment variables to simplify rotation:
# .env file
APIVERVE_API_KEY=apv_your_new_key_here
# Application code reads from environment
const apiKey = process.env.APIVERVE_API_KEY;This approach means rotation only requires updating the environment variable, not changing application code.
Forms Key Rotation
If you use VerveKit Embedded Forms, you also have a separate Forms key that can be rotated.
Key Differences
| Aspect | API Key | Forms Key |
|---|---|---|
| Purpose | Server-side API calls | Client-side form embeds |
| Expiration | Configurable (Pro+) | Never expires |
| After rotation | Update server configuration | Regenerate all embed codes |
When you rotate your Forms key, all existing embed codes become invalid. You'll need to regenerate embed codes for all your forms and update them on your websites.
Best Practices
Before Rotating
- Inventory all usage - Know everywhere your API key is used before rotating
- Prepare deployment - Have your deployment process ready to push the new key
- Test in staging - Verify your rotation process works in a non-production environment
- Schedule appropriately - Rotate during low-traffic periods when possible
During Rotation
- Copy immediately - Copy the new key as soon as it's generated
- Deploy quickly - Minimize the time between rotation and deployment
- Monitor for errors - Watch your logs for 401 errors indicating missed updates
After Rotating
- Verify functionality - Test critical API calls to confirm the new key works
- Check all services - Ensure every application using the API has been updated
- Document the rotation - Record when and why the rotation occurred
- Schedule next rotation - If using manual rotation, set a reminder for the next one
Rotation Schedule Recommendations
| Scenario | Recommended Frequency |
|---|---|
| Production systems with compliance requirements | 90 days (quarterly) |
| General production use | 180 days (semi-annually) |
| Low-risk development/internal tools | 365 days (annually) |
| Suspected compromise | Immediately |
| Team member departure | Immediately |
Emergency Rotation
If you suspect your API key has been compromised, rotate immediately:
- Rotate now - Don't wait; go to your dashboard and rotate immediately
- Check usage - Review your analytics for unusual activity
- Update applications - Push the new key to all your services as quickly as possible
- Investigate the leak - Determine how the key was exposed to prevent future incidents
- Audit access - Check if any unauthorized actions were taken during the exposure window
Watch for these indicators that your key may be compromised:
- Unexpected spike in API usage
- Requests from unfamiliar IP addresses or regions
- API calls to services you don't use
- Key found in public repositories or logs
Troubleshooting
401 Errors After Rotation
If you're getting 401 errors after rotating:
- Check the key value - Ensure you copied the complete new key including the
apv_prefix - Verify deployment - Confirm the new key has been deployed to all services
- Check environment variables - Make sure environment variables have been updated and reloaded
- Clear caches - Some systems cache credentials; restart services if needed
- Check for hardcoded keys - Search your codebase for any hardcoded old key values
Forgot to Copy New Key
If you rotated but didn't copy the new key:
- Go to your API Keys dashboard
- Your current key is always visible (click the eye icon to reveal)
- Copy it and update your applications
Key Expired Unexpectedly
If your key expired and you weren't prepared:
- Rotate to generate a new key immediately
- Consider setting a longer expiration or using calendar reminders
- Set up monitoring to alert you before expiration
For detailed recovery steps and prevention strategies, see Key Expiration Recovery.
Go to your API Keys dashboard to rotate your key. Need help managing multiple keys? Learn about sub-keys.