Rotate API Key

Beta
POST/v1/auth/api-keys/{id}/actions/rotate

Idempotent with Idempotency-Key header. Learn more

Rotates an API key by revoking the existing key and issuing a replacement with the same name, role, and expiration (unless overridden).

The secret key is returned once and cannot be retrieved later, so you should store it securely. We provide some recommendations on how you can manage your API keys.

Role type requiredValues:admin
Only API keys or agents whose role has this type can call this endpoint.
idstring

API key ID to rotate.

include[]optional arrayenumValues:rolerole.permissions

Sub-objects to expand in the response. When omitted, sub-objects are returned as null.

expires_atoptional string (date-time)

Expiration timestamp override for the new key.

If omitted, the previous key's expiration is used.

revoke_atoptional string (date-time)

When to revoke the old key.

If omitted, the old key is revoked immediately. A future timestamp schedules revocation (keeping the old key valid until then) up to a maximum of 30 days out.

objectstringenumValues:created_api_key

Resource type identifier.

api_key_secretstring

Full secret value.

Returned once and cannot be retrieved later. Learn more about managing your API keys.

api_key_infoapi_key

API key metadata.

idstring

API key ID.

objectstringenumValues:api_key

Resource type identifier.

namestring

Human-readable name for the API key.

redacted_valuestring

Redacted key value safe for display.

The key's prefix followed by its last four characters, e.g. aug_sk_prod_****hjt4.

roleroleExpandablenullable

Role assigned to the key, which determines the permissions of requests made with it.

idstring

Role ID.

objectstringenumValues:role

Resource type identifier.

namestring

Display name, unique within the account.

typestringenumValues:adminuserscanner

The kind of role.

The role's type is sometimes used to gate special behaviors and to restrict some actions to only certain types of roles. For example, only roles with the type admin can create and manage API keys.

  • admin: full administrative access, including managing API keys.
  • user: a custom role tailored to a specific need (its permissions are defined explicitly). Roles created through the API always have this type.
  • scanner: a role for scanning-station operators.
  • sales_rep: a role for sales representatives.
  • agent: a role assigned to an automated agent rather than a person.
ownerownernullable

Provenance of this role.

System-owned roles are global defaults shared across all accounts and cannot be modified or deleted; account-owned roles are custom roles created by that account.

Always returned as null in this endpoint.
permissionsarray of stringExpandablenullable

Permissions granted by this role, in {domain}:{action} format, such as customers:read.

created_atstring (date-time)

Creation timestamp.

updated_atstring (date-time)

Last updated timestamp.

last_used_atstring (date-time)nullable

When the key was last used to authenticate a request.

Updated at most once every 24 hours, so it may lag the key's most recent use. null if the key has never been used.

expires_atstring (date-time)nullable

When the key expires and stops authenticating.

null if the key never expires.

revoked_atstring (date-time)nullable

When the key's revocation takes effect.

A future timestamp means revocation was scheduled (for example, during rotation) and the key continues to authenticate requests until that time. null if the key has not been revoked.

created_atstring (date-time)

Creation timestamp.

updated_atstring (date-time)

Last updated timestamp.

Responses

201

Successful response for Rotate API Key