Skip to content

docs: add tutorial on rotating Kosli API keys #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vidhu-balad merged 5 commits into from
Jun 4, 2026
+116 −1
Merged

docs: add tutorial on rotating Kosli API keys #229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7290008
docs: add tutorial on rotating Kosli API keys
mintlify[bot] May 18, 2026
485ff36
Update rotating_api_keys.mdx
vidhu-balad Jun 2, 2026
2e860b7
Update tutorials/rotating_api_keys.mdx
vidhu-balad Jun 2, 2026
e57ac6b
Update rotating_api_keys.mdx
vidhu-balad Jun 2, 2026
365f514
Add cross-link from service-accounts API key rotation to detailed tut…
vidhu-balad Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion config/navigation.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,8 @@
{
"group": "Security",
"pages": [
"tutorials/unauthorized_iac_changes"
"tutorials/unauthorized_iac_changes",
"tutorials/rotating_api_keys"
]
},
{
Expand Down
2 changes: 2 additions & 0 deletions getting_started/service-accounts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ Once the new key is in place and operational, remove or delete the old key from

By systematically following these steps, you can ensure a seamless API key rotation without causing any downtime or interruptions in service.

For a detailed walkthrough including API examples, see [Rotating API keys](/tutorials/rotating_api_keys).


## Using API Keys

Expand Down
112 changes: 112 additions & 0 deletions tutorials/rotating_api_keys.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
---
title: Rotating API keys
description: Learn how to rotate Kosli service account API keys with zero downtime.
---

Rotating API keys regularly is a security best practice that limits the blast radius of a leaked or compromised credential. This tutorial walks you through rotating a Kosli service account API key with zero downtime, using either the Kosli web app or the API directly.

<Tip>
Kosli never stores your API token in plain text. Only a cryptographic hash of the token is stored, so the original token cannot be retrieved from our systems — make sure to copy a new key immediately after creating or rotating it.
</Tip>
Comment on lines +8 to +10
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The tip on lines 8-10 is nearly identical to the one already on /getting_started/service-accounts (line 31-33). Since the tutorial already links to that page, consider removing it here to avoid maintaining the same statement in two places. If you want to keep a reminder, a shorter inline note ("Remember, the key is shown only once") might be lighter.


## Prerequisites

- A Kosli shared organization with at least one [service account](/getting_started/service-accounts#service-accounts) and an existing API key.
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement: Both "shared organization" and "service account" link to the same anchor (/getting_started/service-accounts#service-accounts). The link text "shared organization" is misleading — that anchor covers the Service Accounts heading, not shared orgs specifically. Consider simplifying the prerequisite:

Suggested change
- A Kosli shared organization with at least one [service account](/getting_started/service-accounts#service-accounts) and an existing API key.
- A Kosli shared organization with at least one [service account](/getting_started/service-accounts#service-accounts) and an existing API key.

- Administrator access to the organization that owns the service account.
- An inventory of every system (CI pipelines, runtime reporters, scripts, secrets managers, etc.) that uses the API key you plan to rotate.

## How rotation works

When you rotate a service account API key, Kosli:

1. Generates a **new** API key immediately and returns its value **once**.
2. Keeps the **old** key valid for a configurable grace period (default: **24 hours**).
3. Automatically revokes the old key when the grace period expires.

The grace period lets you roll the new key out to all consumers without an interruption in service. Choose a window that matches your deployment cadence — short enough to limit exposure, long enough to update every dependent system.

## Rotate a key from the Kosli web app

1. Log in to Kosli and select the organization that owns the service account.
2. Go to **Settings** → **Service accounts** in the left navigation.
3. Open the service account whose key you want to rotate.
4. Find the key in the **API Keys** list and click **Regenerate**.
5. Choose a grace period for the old key, then confirm.
Comment on lines +29 to +34
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: CLAUDE.md lists <Steps> / <Step> as the recommended component for sequential procedures. This numbered list would be a good candidate for that component, matching how other tutorials present step-by-step workflows.

6. Copy the new key value immediately and store it in your secrets manager — it will not be shown again.

Comment on lines +30 to +36
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement: This sequential procedure is a good candidate for the <Steps>/<Step> component, which is used for similar workflows in other tutorials (e.g., report_cloud_run_envs.md, linking_trails_across_branches.md) and recommended in CLAUDE.md for sequential procedures.

Suggested change
1. Log in to Kosli and select the organization that owns the service account.
2. Go to **Settings****Service accounts** in the left navigation.
3. Open the service account whose key you want to rotate.
4. Find the key in the **API Keys** list and click **Regenerate**.
5. Choose a grace period for the old key, then confirm.
6. Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
<Steps>
<Step>
Log in to Kosli and select the organization that owns the service account.
</Step>
<Step>
Go to **Settings****Service accounts** in the left navigation.
</Step>
<Step>
Open the service account whose key you want to rotate.
</Step>
<Step>
Find the key in the **API Keys** list and click **Regenerate**.
</Step>
<Step>
Choose a grace period for the old key, then confirm.
</Step>
<Step>
Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
</Step>
</Steps>

Comment on lines +30 to +36
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The "Rotate a key from the Kosli web app" procedure (lines 30-36) is a sequential numbered list — a good candidate for the <Steps>/<Step> component, which CLAUDE.md recommends for sequential procedures and other tutorials use (report_cloud_run_envs.md, linking_trails_across_branches.md).

Suggested change
1. Log in to Kosli and select the organization that owns the service account.
2. Go to **Settings****Service accounts** in the left navigation.
3. Open the service account whose key you want to rotate.
4. Find the key in the **API Keys** list and click **Regenerate**.
5. Choose a grace period for the old key, then confirm.
6. Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
<Steps>
<Step>
Log in to Kosli and select the organization that owns the service account.
</Step>
<Step>
Go to **Settings****Service accounts** in the left navigation.
</Step>
<Step>
Open the service account whose key you want to rotate.
</Step>
<Step>
Find the key in the **API Keys** list and click **Regenerate**.
</Step>
<Step>
Choose a grace period for the old key, then confirm.
</Step>
<Step>
Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
</Step>
</Steps>

## Rotate a key via the API

You can also rotate keys programmatically, which is useful for automating periodic rotation from your CI or a secrets manager.

```shell
curl -X POST \
-H "Authorization: Bearer <<your-admin-api-key>>" \
-H "Content-Type: application/json" \
-d '{"grace_period_hours": 24}' \
https://app.kosli.com/api/v2/service-accounts/<<your-org>>/<<service-account-name>>/api-keys/<<key-id>>/rotate
```

The response contains the new API key value. Capture it directly into your secrets store:

```shell
NEW_KEY=$(curl -s -X POST \
-H "Authorization: Bearer $KOSLI_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"grace_period_hours": 24}' \
https://app.kosli.com/api/v2/service-accounts/$ORG/$SA_NAME/api-keys/$KEY_ID/rotate \
| jq -r '.api_key')
```

<Tip>
You can list a service account's keys (including the rotation status of the old key) with `GET /service-accounts/{org}/{name}/api-keys`. See the [API reference](/api-reference/service-accounts/list-api-keys-for-a-service-account) for details.
Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The API reference links (this one and the ones in the ## Related section) point to paths generated from the OpenAPI spec. Worth verifying these resolve correctly in the preview deployment before merging — there are no local files backing them.

Copy link
Copy Markdown
Contributor

@vidhu-balad vidhu-balad Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the reference links resolve as expected.

Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement: The API reference links (/api-reference/service-accounts/...) are generated from the OpenAPI spec and can't be verified locally. Worth confirming they resolve in the preview deployment before merging.

</Tip>

## Roll the new key out

While the old key is still valid, update every consumer to use the new key:

- **CI/CD pipelines**: Update the `KOSLI_API_TOKEN` secret in GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.
- **Runtime reporters**: Update Kubernetes secrets used by the [Kosli Kubernetes reporter](/helm/k8s_reporter), and roll the relevant pods.
- **Local config files**: Update any [Kosli CLI config files](/getting_started/install#assigning-flags-via-config-files) that hard-code the token.
- **Secrets managers**: Update the value in AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault, or wherever you store the token.

Verify the rollout by triggering a job (or running a Kosli CLI command) that uses the new key and confirming it succeeds:

```shell
kosli list environments --api-token "$NEW_KEY" --org "$ORG"
```

## Verify the old key is decommissioned

Once every consumer is on the new key, you can either wait for the grace period to elapse or revoke the old key immediately:

```shell
curl -X DELETE \
-H "Authorization: Bearer <<your-admin-api-key>>" \
https://app.kosli.com/api/v2/service-accounts/<<your-org>>/<<service-account-name>>/api-keys/<<old-key-id>>
```

See [Revoke an API key for a service account](/api-reference/service-accounts/revoke-an-api-key-for-a-service-account) for details.

After revocation (or grace-period expiry), confirm the old key no longer works:

```shell
curl -i -H "Authorization: Bearer $OLD_KEY" \
https://app.kosli.com/api/v2/environments/$ORG
# Expect: HTTP/1.1 401 Unauthorized
```

## Recommended rotation cadence

- **Service accounts**: rotate at least every 90 days, and immediately if you suspect a leak.
- **After offboarding**: rotate any key an offboarded user could have accessed.
- **After incidents**: rotate any key potentially exposed by a security incident, regardless of cadence.

Automating rotation from your secrets manager — using the rotate endpoint above — is the most reliable way to keep within your target cadence.

## Related

Copy link
Copy Markdown
Contributor

@claude claude Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: No other tutorial in the site has a ## Related section. The links are useful, but for consistency you could move them into a <Card>/<CardGroup> at the bottom (matching the navigational card pattern used elsewhere), or simply drop the section since the API reference links are already inline in the body.

- [Service Accounts](/getting_started/service-accounts)
- [Rotate an API key for a service account (API reference)](/api-reference/service-accounts/rotate-an-api-key-for-a-service-account)
- [Revoke an API key for a service account (API reference)](/api-reference/service-accounts/revoke-an-api-key-for-a-service-account)
- [List API keys for a service account (API reference)](/api-reference/service-accounts/list-api-keys-for-a-service-account)