Blog

API key rotation without downtime: overlap windows and monitoring

Accept two valid keys per client during migration; revoke the old key only after traffic metrics drop to zero.

Published: 2025-11-14Updated: 2025-11-161 min read

api-keysoperationssecurity

CORS proxy note

If keys authenticate browser calls through a proxy, ensure both keys map to the same project policy during overlap.

Log which key prefix was used to debug clients still on legacy material.

If a key leaks, rotate immediately and notify integrators via status page and email.

Throttle abusive traffic while keeping CORS headers on error responses for observability.