← Docs/Recipes
Recipe

API Key Rotation

Rotate Meridian API keys without downtime using overlapping validity windows.

Overview

Meridian supports dual-key validity during rotation. Issue a new key while the old one remains active, update your clients, then revoke the old key — all with zero rejected requests.

Step 1 — Issue a new key

From the dashboard, navigate to Settings → API Keys and click Generate Key. Give it a label like prod-v2. The old key remains valid — both keys now authenticate successfully.

Step 2 — Roll out the new key

Deploy the new key to your services. Meridian accepts either key during the overlap window. Monitor the dashboard — you will see requests authenticated by both keys side by side.

Step 3 — Revoke the old key

Once all traffic uses the new key, return to the API Keys page and click Revoke on the old key. Revocation is instant — subsequent requests with the old key receive a 401.

Best practices

  • Keep the overlap window under 24 hours to limit exposure.
  • Use descriptive labels — prod-2026-01 beats key3.
  • Rotate keys on a fixed schedule (monthly or quarterly).
  • Never commit keys to source control — use environment variables or a secrets manager.

Pro tip: Automate rotation with the Keys API. Generate, distribute, and revoke programmatically — no dashboard clicks required.