API key rotation - Kosli Documentation

Rotating API keys regularly limits the blast radius of a leaked credential. Kosli supports zero-downtime rotation for service account API keys: a new key is issued immediately while the old key remains valid for a configurable grace period.

How rotation works

When you rotate a service account API key, Kosli:

Generates a new API key and returns its value once.
Keeps the old key valid for a configurable grace period (default: 24 hours).
Automatically revokes the old key when the grace period expires.

Choose a grace period that fits your deployment cadence — long enough to roll the new key out to every consumer, short enough to limit exposure.

Where next

Rotating API keys (tutorial) — step-by-step walkthrough in the web app and via the API.
Service accounts — service account lifecycle.
Rotate an API key (API reference)
Revoke an API key (API reference)
List API keys (API reference)

Last modified on June 5, 2026

Service accounts Roles in Kosli

⌘I

​How rotation works

​Where next

How rotation works

Where next