Rotate a partner API key (M2M, self-rotate)

POST 
/v1/partner/account/keys/:key_id/rotate

Mints a new api_key + rotation_secret on the SAME key row.

Auth: defense in depth — caller must present BOTH the current key (X-API-Key, must match the key referenced by :key_id) AND the current rotation secret (X-Rotation-Secret, must match the same key's rotation_secret_hash).

Self-rotate only: you cannot rotate a key other than the one you're authenticating with. To "rotate someone else's key", DELETE it and POST a new one (two calls).

The old key remains valid for 4 hours after rotation. A rotation during the grace window REPLACES the prior grace entry.

Reminder slots are reset and rotation_due_at is advanced by the configured cadence (if any).

Request

Responses

200

New credentials issued. Save them now — they will not be shown again.

400

Missing key_id

401

Missing or invalid X-API-Key + X-Rotation-Secret combination, or key_id does not match the authenticating key