Listen to this article. Also available on Spotify. Subscribe to PolyAPI Squawk.
API keys in Poly can be set to expire, requiring periodic rotation to maintain security and follow best practices. Admins have the flexibility to configure, at a tenant or environment level, whether keys must be rotated while still active or if they can also be rotated after expiration.
Enhancements in Release 20
With Release 20, we have introduced a new capability that allows admins to define a post-expiration window for key rotation. This is managed through a configuration variable:
- Config Variable: ApiKeyPostExpirationRotationDays
- Where to Set It: Currently available via the Management API and will be added to the UI in the future.
- Default Behavior: If not set, API keys cannot be rotated after expiration.
- User Experience: Our UI will provide warnings when keys are nearing expiration and offer a one-click rotation option if the post-expiration window is enabled.
See for Yourself
To test this new configuration:
- Create an API key with an expiration date.
- Update the post-expiration window using: PATCH /tenant/{id}/config-variables Set ApiKeyPostExpirationRotationDays to a desired integer value.
- Allow the key to expire and attempt to rotate it using the UI
Have questions about our roadmap or platform? We’d love to hear from you! Reach out to us at hello@polyapi.io, fill out a contact form, or book an intro meeting.