API Key Rotation Without Downtime

Dual-key validation window, gradual client migration, and the revocation list we keep in Redis.

Rotating a compromised key used to mean a maintenance window. Now it is a documented playbook.

Flow

  1. Issue new key K2 while K1 remains valid (both in valid_keys set)
  2. Notify integrators with 14-day migration deadline
  3. Metrics on K1 usage — alert if traffic remains after deadline
  4. Revoke K1: move to revoked_keys with TTL = max JWT/session overlap
  5. Gateway checks revoked set first (O(1) Redis lookup)
if (await _redis.SetContainsAsync("revoked_keys", keyHash))
    return Results.Unauthorized();
if (!await _redis.SetContainsAsync("valid_keys", keyHash))
    return Results.Unauthorized();

Audit

Every rotation logged with actor, reason, and affected client IDs. Required for SOC2 evidence.

security , api-keys , rotation · Redis , .NET

More in Security