POST /auth/api/rotate-key
Rotate the client API key itself. Returns a new key and revokes every live access token.
New key is returned exactly once — persist it before doing anything else. Old key and all issued tokens stop working immediately.
Use case
Scheduled credential rotation or suspected leak: call with old key, write new key to secrets manager, redeploy consumers to re-issue tokens.
Headers
| Header | Required | Description |
|---|---|---|
x-api-key | yes | Current API key. |
Body
None.
Response 200
{ "newApiKey": "…" }
Irreversible
The old key stops working the moment this call returns. Store the new one before any other action.
Example
curl -X POST "$BASE_URL/auth/api/rotate-key" \
-H "x-api-key: $OLD_KEY"