API key rotation plan
A step-by-step recipe for rotating Meridian API keys without downtime. Covers key generation, dual-key grace windows, and client-side migration.
1. Generate the successor key
From the Meridian dashboard, navigate to Settings → API Keys and click New Key. Give it a descriptive label (e.g. prod-v2). The new key is created in inactive state — it will not accept traffic yet.
2. Activate the grace window
Toggle the new key to active. Meridian automatically enters a 72-hour dual-key grace period. During this window, both the old key and the new key are valid. Requests authenticated with either key succeed and are logged with the key fingerprint used.
3. Migrate clients
Roll out the new key to your SDK instances, loader builds, or server-side consumers. Monitor the key_fingerprint field in request logs to confirm traffic is shifting. The old key continues to work — no outage if a client is missed.
4. Revoke the old key
Once all traffic uses the new key (or the 72-hour window expires), revoke the old key from the dashboard. Revocation is instant. Requests using the revoked key receive 401 with reason key_revoked.
5. Verify & document
Confirm zero 401s from the old key fingerprint in the last 24 hours. Record the rotation in your runbook: old key label, new key label, activation timestamp, and revocation timestamp. Store the old key fingerprint for audit.
Pro tip
Schedule rotations during your lowest-traffic window. Meridian supports up to 3 concurrently active keys per project — use this for staggered regional rollouts.