keyId and issues a brand-new key that inherits the same name and permission scopes. Any in-flight requests using the old key will begin to receive 401 Unauthorized responses as soon as the rotation completes. Store the new rawApiKey immediately — it is returned only once.
POST /api/v1/enterprise/api-keys/{keyId}/rotate
Path Parameters
The unique identifier of the API key you want to rotate. You can find this value in the
id field returned by the List API Keys or Generate API Key endpoints.Example: key_a1b2c3d4e5f6Code Examples
Response
A200 OK response confirms the old key has been invalidated and a replacement has been issued. The rawApiKey in the response is the new key value — update your secrets store with it before closing the response.
The identifier of the newly issued replacement key. Note that this differs from the
keyId you submitted in the path — the old key has been deactivated and replaced with this new one.The name inherited from the rotated key, unchanged.
The plaintext value of the newly generated replacement key. This is returned exactly once. Update your secrets manager immediately. The previous key is now permanently invalidated.
The permission scopes inherited from the rotated key, unchanged.
The UTC timestamp at which the replacement key was generated.
Error Responses
| HTTP Status | Error Code | Description |
|---|---|---|
401 Unauthorized | UNAUTHORIZED | The Authorization header is absent or the bearer token is invalid. |
403 Forbidden | FORBIDDEN | The authenticated identity does not have permission to rotate API keys for this organization. |
404 Not Found | NOT_FOUND | No API key with the provided keyId exists for this organization, or the key has already been deleted. |
429 Too Many Requests | RATE_LIMITED | You have exceeded the hourly rate limit. Check X-RateLimit-Reset for your reset time. |