Strait Docs
Guides

Rotate keys with grace windows for zero-downtime credential rollovers.

Strait supports API key rotation with grace periods.

Endpoint

  • POST /v1/api-keys/{keyID}/rotate

CLI parity is supported via strait api-keys rotate --grace-period-minutes <n> which uses the same API rotation endpoint.

Request

{
  "name": "ci-key-2026-03",
  "grace_period_seconds": 3600
}

Behavior

  • New key is created and returned once.
  • Previous key is marked with:
    • replaced_by_key_id
    • grace_expires_at
  • Old key remains temporarily valid until grace expires.
  • After grace expiry, old key authentication fails.
  1. Rotate key with a grace window.
  2. Roll out new key to all clients.
  3. Verify traffic uses the new key.
  4. Let grace expire (or revoke old key explicitly).

Security Notes

  • Store only the returned raw key in your secret manager.
  • Never log raw keys.
  • Keep grace windows short.

See Authentication & Authorization and CLI API Keys.

Was this page helpful?
Edit on GitHub

Audit Events

Track and query security-sensitive actions with audit_events.

Security

Security features and protections implemented in Strait.

On this page

EndpointRequestBehaviorRecommended Rotation FlowSecurity Notes