> ## Documentation Index > Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-docs-website-deploy-hook.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Rotate an API key > Rotate an API key. Issues a new key that copies the name and project of the rotated key, and schedules the rotated key to expire after a grace period so in-flight callers can swap over. The new plaintext key is returned once. ## OpenAPI ````yaml https://app.stainless.com/api/spec/documented/kernel/openapi.documented.yml post /org/api_keys/{id}/rotate openapi: 3.1.0 info: title: Kernel API description: Developer tools and cloud infrastructure for AI agents to use web browsers version: 0.1.0 servers: - url: https://api.onkernel.com description: API Server security: - bearerAuth: [] tags: - name: Browsers description: Create and manage browser sessions. - name: Browser Computer Controls description: Control mouse, keyboard, and screen on the browser instance. - name: Browser Playwright description: Execute Playwright code against the browser instance. - name: Browser Filesystem description: Read, write, and manage files on the browser instance. - name: Browser Processes description: Execute and manage processes on the browser instance. - name: Browser Replays description: Record and manage browser session video replays. - name: Browser Logs description: Stream logs from the browser instance. - name: Browser Telemetry description: Stream live telemetry events from a browser session. - name: Profiles description: Create, list, retrieve, and delete browser profiles. - name: Proxies description: Create and manage proxy configurations for routing browser traffic. - name: Extensions description: Create, list, retrieve, and delete browser extensions. - name: Browser Pools description: Create and manage browser pools for acquiring and releasing browsers. - name: Managed Auth description: >- Create and manage auth connections for automated credential capture and login. - name: Credentials description: Create and manage credentials for authentication. - name: Credential Providers description: Configure external credential providers like 1Password. - name: Apps description: List applications and versions. - name: Deployments description: Create and manage app deployments and stream deployment events. - name: Invocations description: Invoke actions and stream or query invocation status and events. - name: Organization description: Read and manage organization-level limits. - name: Projects description: Create and manage projects for resource isolation within an organization. - name: API Keys description: Create and manage API keys for organization and project-scoped access. - name: Audit Logs description: Read audit log records for the authenticated organization. paths: /org/api_keys/{id}/rotate: post: tags: - API Keys summary: Rotate an API key description: >- Rotate an API key. Issues a new key that copies the name and project of the rotated key, and schedules the rotated key to expire after a grace period so in-flight callers can swap over. The new plaintext key is returned once. operationId: rotateApiKey parameters: - name: id in: path required: true schema: type: string description: API key ID requestBody: required: false content: application/json: schema: $ref: '#/components/schemas/RotateApiKeyRequest' responses: '201': description: New API key created from the rotation content: application/json: schema: $ref: '#/components/schemas/CreatedApiKey' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalError' security: - bearerAuth: [] x-codeSamples: - lang: JavaScript source: |- import Kernel from '@onkernel/sdk'; const client = new Kernel({ apiKey: process.env['KERNEL_API_KEY'], // This is the default and can be omitted }); const createdAPIKey = await client.apiKeys.rotate('id'); console.log(createdAPIKey); - lang: Python source: |- import os from kernel import Kernel client = Kernel( api_key=os.environ.get("KERNEL_API_KEY"), # This is the default and can be omitted ) created_api_key = client.api_keys.rotate( id="id", ) print(created_api_key) - lang: Go source: "package main\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/kernel/kernel-go-sdk\"\n\t\"github.com/kernel/kernel-go-sdk/option\"\n)\n\nfunc main() {\n\tclient := kernel.NewClient(\n\t\toption.WithAPIKey(\"My API Key\"),\n\t)\n\tcreatedAPIKey, err := client.APIKeys.Rotate(\n\t\tcontext.TODO(),\n\t\t\"id\",\n\t\tkernel.APIKeyRotateParams{},\n\t)\n\tif err != nil {\n\t\tpanic(err.Error())\n\t}\n\tfmt.Printf(\"%+v\\n\", createdAPIKey)\n}\n" components: schemas: RotateApiKeyRequest: type: object properties: days_to_expire: type: integer description: >- Lifetime in days for the new key, up to 3650. Omit to reuse the rotated key's original lifetime, or never-expires if it had none. minimum: 1 maximum: 3650 example: 30 nullable: true expire_in_days: type: integer description: >- Grace period in days before the rotated key expires. Use 0 to expire it immediately. Omit for the default grace period of 7 days. minimum: 0 maximum: 3650 example: 7 nullable: true CreatedApiKey: description: >- API key returned immediately after creation. Includes the plaintext key once. allOf: - $ref: '#/components/schemas/ApiKey' - type: object required: - key properties: key: type: string description: Plaintext API key. Only returned once when the key is created. example: sk_1234abcd ApiKey: type: object required: - id - name - created_at - created_by - expires_at - deleted_at - project_id - project_name - masked_key properties: id: type: string description: Unique API key identifier example: ckv9w8q2f000001l5r3j7k9m4 name: type: string description: API key name example: production created_at: type: string format: date-time description: When the API key was created created_by: $ref: '#/components/schemas/ApiKeyCreator' expires_at: type: string format: date-time description: When the API key expires nullable: true deleted_at: type: string format: date-time description: >- When the API key was deleted (soft-deleted). Null for keys that have not been deleted. nullable: true project_id: type: string description: Project identifier for project-scoped API keys. Null means org-wide. example: proj_abc123 nullable: true project_name: type: string description: >- Project name for project-scoped API keys. Null means the key is org-wide or the project name is unavailable. example: Production nullable: true masked_key: type: string description: Masked version of the API key example: sk_1234...abcd Error: type: object required: - code - message properties: code: type: string description: Application-specific error code (machine-readable) example: bad_request message: type: string description: Human-readable error description for debugging example: 'Missing required field: app_name' details: type: array description: Additional error details (for multiple errors) items: $ref: '#/components/schemas/ErrorDetail' inner_error: $ref: '#/components/schemas/ErrorDetail' ApiKeyCreator: type: object required: - id - email - name properties: id: type: string description: Kernel user ID of the creator. example: user-abc123 email: type: string format: email description: Email address of the creator. example: user@example.com name: type: string nullable: true description: Display name of the creator, if available. example: Jane Doe ErrorDetail: type: object properties: code: type: string description: Lower-level error code providing more specific detail example: invalid_input message: type: string description: Further detail about the error example: Provided version string is not semver compliant responses: BadRequest: description: Bad Request – invalid input content: application/json: schema: $ref: '#/components/schemas/Error' Unauthorized: description: Unauthorized – missing or invalid authorization token content: application/json: schema: $ref: '#/components/schemas/Error' NotFound: description: Resource not found content: application/json: schema: $ref: '#/components/schemas/Error' InternalError: description: Internal Server Error content: application/json: schema: $ref: '#/components/schemas/Error' securitySchemes: bearerAuth: type: http scheme: bearer ````