KubeadaptDocsBack to site
Sign inStart free
DocsAPI ReferenceCLI
  • Introduction
  • Getting Started
  • Capabilities
    • Connect a cluster
    • Right-size your workloads
    • Monitor GPU workloads
    • Trace cost to a team
    • Plan a safe spot migration
    • Clean up abandoned workloads
    • Invite teammates and set roles
    • Configure SAML SSO
    • Mint an API key
    • Rotate an API key
Docs homev1How To GuidesRotate An Api Key

How-to Guides

Rotate an API key

Cut over from an old Kubeadapt API key to a new one with no downtime, then revoke the old key.

Rotate keys on a schedule (90 days is a reasonable default), immediately if a key is exposed, and whenever staff with access leave the team. Both keys remain valid until the old one is revoked, so the cutover window is whatever your deploy cadence requires.

Note

Kubeadapt rotates server-side hashing material transparently. No client action is required for platform rotation — keys are never invalidated by Kubeadapt's own infrastructure changes. This guide is about rotating your key on your schedule.

1. Mint the replacement key

Follow Mint an API key to create a new key with the same scopes and cluster allow-list as the one being retired. Name it with a -vN suffix or the current date to distinguish it from the old key.

2. Deploy both keys side-by-side

Store the new key in your secrets store alongside the old one. The integration should still authenticate with the old key at this point — the new key is staged for activation.

3. Cut over to the new key

Update the integration's configuration to read the new key and redeploy. Watch for 401 UNAUTHORIZED responses during the cutover window — they signal a deploy that hasn't picked up the new key yet.

4. Revoke the old key

Once the integration is fully on the new key and no 401 traffic remains, go to Settings → API Keys in the dashboard and revoke the old key. Revocation takes effect on the next request, with no grace window.

A revoked key returns 401 UNAUTHORIZED immediately. If revoking causes new 401 traffic, an unknown caller is still using the old key — investigate the source before re-minting.

When to revoke immediately (skip the cutover)

Revoke without staging a replacement when:

  • The key is exposed in logs, source control, screenshots, or any channel you don't fully control.
  • The integration that owned the key is decommissioned.
  • The person who created the key leaves the team and no other owner is on file.
  • Unexplained 401 traffic appears on a key that should not be in use.

See also

  • Mint an API key — the create flow.
  • Authentication — the wire-level contract and 401/403 distinction.

Related

  • Authentication
  • Mint an API key
PreviousMint an API keyHow-to GuidesNextConfiguration OverviewConfiguration

On this page

  • 1. Mint the replacement key
  • 2. Deploy both keys side-by-side
  • 3. Cut over to the new key
  • 4. Revoke the old key
  • When to revoke immediately (skip the cutover)
  • See also
Edit this page
Kubeadapt

Kubernetes FinOps platform. Cost visibility, rightsizing, and capacity planning that pays for itself in 30 days.

Product

  • Cost Monitoring
  • Cost Attribution
  • Workload Rightsizing
  • Recommendations
  • Smart Alerting
  • Best Practices
  • Network Cross-AZ

Resources

  • Documentation
  • Status Page
  • Feature Requests

Company

  • About Us
  • Security
  • Careers
  • Contact

© 2026 Kubeadapt. All rights reserved.

PrivacyTermsSecurity