Rotate API keys

With this method, you can have a single OAuth API key with multiple public keys associated with it.

Pros:

• You don't have to change the client ID to rotate keys.
• You can manage your own public keys (i.e., JWKS).
• We recommend this method since it follows best practices for rotating API keys.

Cons:

• This method requires you to manage your own public keys (i.e., JWKS) with a third-party tool. So some of the steps may be unfamiliar if you've never edited a public key before.
• There may be a risk on live integrations if there's any kind of typo.

Now that you know the pros and cons, let's explain how to do this.

1. Log in to the Redox dashboard.
2. From the navigation menu, select the Developer page.
3. By default, the Developer page opens and displays the API Keys tab.
4. Click the Edit button for the API key that you want to rotate.
5. The Settings page of the API key displays with the details. Click the Provide your public key tab.
6. Under option 2, add the new JWK to the keys array without deleting the old one yet.
7. The keys array now has two objects, the old JWK and the new JWK. Click the Save button.
8. Update your system to use the new JWK. That means you must update the private key and the key ID (i.e., kid). Don't update the client ID.
9. Once your system is updated, return to the API key settings in the Redox dashboard. Delete the old JWK from the keys array. Keep the new one.
10. Click the Save button.

With this method, you can use multiple OAuth API keys with unique public keys associated with each one.

Pros:

• This method is simpler if you don't currently manage public keys.
• There may be less risk on live integrations since the old key can just be deleted.
• You can manage your own public keys (i.e., JWKS) without having to use a third-party tool.

Cons:

• You must change the client ID to rotate keys.

Now that you know the pros and cons, let's explain how to do this.

1. Follow the steps for creating a new OAuth API key.
2. Once you have a new OAuth key, update your system to use the new JWK. That means you must update the private key, key ID (i.e., kid), and client ID values.
3. Once your system is updated, return to the API key settings in the Redox dashboard. Delete the old OAuth API key. Follow the steps for deleting an API key, if you need to.