Skip to content
2 changes: 1 addition & 1 deletion apps/dashboard/lib/trpc/routers/audit/llm-search/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ ${validEventTypes.map((event) => ` - ${event}`).join("\n")}
- workspace.create, workspace.update, workspace.delete, workspace.opt_in
- gateway.create, llmGateway.create, llmGateway.delete
- api.create, api.update, api.delete
- key.create, key.update, key.delete
- key.create, key.update, key.delete, key.reroll
- ratelimitNamespace.create, ratelimitNamespace.update, ratelimitNamespace.delete
- vercelIntegration.create, vercelIntegration.update, vercelIntegration.delete
- vercelBinding.create, vercelBinding.update, vercelBinding.delete
Expand Down
2 changes: 1 addition & 1 deletion go/apps/api/integration/harness.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func New(t *testing.T, config Config) *Harness {
ctx: ctx,
cancel: cancel,
instanceAddrs: []string{},
Seed: seed.New(t, db),
Seed: seed.New(t, db, nil),
dbDSN: mysqlHostDSN,
Comment thread
Flo4604 marked this conversation as resolved.
DB: db,
CH: ch,
Expand Down
69 changes: 69 additions & 0 deletions go/apps/api/openapi/gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

174 changes: 174 additions & 0 deletions go/apps/api/openapi/openapi-generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -926,6 +926,57 @@ components:
"$ref": "#/components/schemas/Meta"
data:
"$ref": "#/components/schemas/V2KeysRemoveRolesResponseData"
V2KeysRerollKeyRequestBody:
type: object
required:
- keyId
- expiration
properties:
keyId:
type: string
minLength: 3
maxLength: 255
pattern: "^[a-zA-Z0-9_]+$"
description: |
The database identifier of the key to reroll.

This is the unique ID returned when creating or listing keys, NOT the actual API key token.
You can find this ID in:
- The response from `keys.createKey`
- Key verification responses
- The Unkey dashboard
- API key listing endpoints
example: key_2cGKbMxRyIzhCxo1Idjz8q
expiration:
type: integer
format: int64
minimum: 0
maximum: 4102444800000
description: |
Duration in milliseconds until the ORIGINAL key is revoked, starting from now.

This parameter controls the overlap period for key rotation:
- Set to `0` to revoke the original key immediately
- Positive values keep the original key active for the specified duration
- Allows graceful migration by giving users time to update their credentials

Common overlap periods:
- Immediate revocation: 0
- 1 hour grace period: 3600000
- 24 hours grace period: 86400000
- 7 days grace period: 604800000
- 30 days grace period: 2592000000
example: 86400000
V2KeysRerollKeyResponseBody:
type: object
required:
- meta
- data
properties:
meta:
"$ref": "#/components/schemas/Meta"
data:
"$ref": "#/components/schemas/V2KeysRerollKeyResponseData"
V2KeysSetPermissionsRequestBody:
type: object
required:
Expand Down Expand Up @@ -2476,6 +2527,43 @@ components:
- Changes take effect immediately for new verifications but cached sessions may retain old permissions briefly
items:
"$ref": "#/components/schemas/Role"
V2KeysRerollKeyResponseData:
type: object
properties:
keyId:
type: string
description: |
The unique identifier for the newly created key.

This is NOT the actual API key token, but a reference ID for management operations.
Store this ID to:
- Update or revoke the key later
- Track the key in your database
- Display in admin dashboards (safe to log)

Note: This is a new ID - the original key retains its own ID.
example: key_2cGKbMxRyIzhCxo1Idjz8q
key:
type: string
description: |
The newly generated API key token (the actual secret that authenticates requests).

**SECURITY CRITICAL:**
- This is the only time you'll receive the complete key
- Unkey stores only a hashed version (unless the original key was created with `recoverable=true`)
- Never log, store, or expose this value in your systems
- Transmit directly to the end user via secure channels only
- If lost and not recoverable, you must reroll or create a new key

The key format follows: `[prefix]_[random_bytes]`
- Prefix is extracted from the original key or uses API default
- Random bytes follow API configuration (default: 16 bytes)

This is NOT the keyId - it's the actual secret token used for authentication.
example: prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT
required:
- keyId
- key
V2KeysSetPermissionsResponseData:
Comment thread
Flo4604 marked this conversation as resolved.
type: array
description: |-
Expand Down Expand Up @@ -4323,6 +4411,92 @@ paths:
tags:
- keys
x-speakeasy-name-override: removeRoles
/v2/keys.rerollKey:
post:
description: |
Generate a new API key while preserving the configuration from an existing key.

This operation creates a fresh key with a new token while maintaining all settings from the original key:
- Permissions and roles
- Custom metadata
- Rate limit configurations
- Identity associations
- Remaining credits
- Recovery settings

**Key Generation:**
- The system attempts to extract the prefix from the original key
- If prefix extraction fails, the default API prefix is used
- Key length follows the API's default byte configuration (or 16 bytes if not specified)

**Original Key Handling:**
- The original key will be revoked after the duration specified in `remaining`
- Set `remaining` to 0 to revoke immediately
- This allows for graceful key rotation with an overlap period

Common use cases include:
- Rotating keys for security compliance
- Issuing replacement keys for compromised credentials
- Creating backup keys with identical permissions

**Important:** Analytics and usage metrics are tracked at both the key level AND identity level. If the original key has an identity, the new key will inherit it, allowing you to track usage across both individual keys and the overall identity.

**Required Permissions**

Your root key must have:
- `api.*.create_key` or `api.<api_id>.create_key`
- `api.*.update_key` or `api.<api_id>.update_key`
- `api.*.encrypt_key` or `api.<api_id>.encrypt_key` (only when the original key is recoverable)
operationId: rerollKey
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/V2KeysRerollKeyRequestBody'
required: true
responses:
"200":
content:
application/json:
schema:
$ref: '#/components/schemas/V2KeysRerollKeyResponseBody'
description: Key rerolled successfully.
"400":
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestErrorResponse'
description: Bad request
"401":
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedErrorResponse'
description: Unauthorized
"403":
content:
application/json:
schema:
$ref: '#/components/schemas/ForbiddenErrorResponse'
description: Forbidden
"404":
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundErrorResponse'
description: Not found
"500":
content:
application/json:
schema:
$ref: '#/components/schemas/InternalServerErrorResponse'
description: Internal server error
security:
- rootKey: []
summary: Reroll Key
tags:
- keys
x-speakeasy-name-override: rerollKey
Comment thread
Flo4604 marked this conversation as resolved.
Comment thread
Flo4604 marked this conversation as resolved.
/v2/keys.setPermissions:
post:
description: |
Expand Down
2 changes: 2 additions & 0 deletions go/apps/api/openapi/openapi-split.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,8 @@ paths:

/v2/keys.createKey:
$ref: "./spec/paths/v2/keys/createKey/index.yaml"
/v2/keys.rerollKey:
$ref: "./spec/paths/v2/keys/rerollKey/index.yaml"
Comment thread
Flo4604 marked this conversation as resolved.
/v2/keys.updateKey:
$ref: "./spec/paths/v2/keys/updateKey/index.yaml"
/v2/keys.updateCredits:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
type: object
required:
- keyId
- expiration
properties:
keyId:
type: string
minLength: 3
maxLength: 255
pattern: "^[a-zA-Z0-9_]+$"
description: |
The database identifier of the key to reroll.

This is the unique ID returned when creating or listing keys, NOT the actual API key token.
You can find this ID in:
- The response from `keys.createKey`
- Key verification responses
- The Unkey dashboard
- API key listing endpoints
example: key_2cGKbMxRyIzhCxo1Idjz8q
expiration:
type: integer
format: int64
minimum: 0
maximum: 4102444800000
description: |
Duration in milliseconds until the ORIGINAL key is revoked, starting from now.

This parameter controls the overlap period for key rotation:
- Set to `0` to revoke the original key immediately
- Positive values keep the original key active for the specified duration
- Allows graceful migration by giving users time to update their credentials

Common overlap periods:
- Immediate revocation: 0
- 1 hour grace period: 3600000
- 24 hours grace period: 86400000
- 7 days grace period: 604800000
- 30 days grace period: 2592000000
example: 86400000
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
type: object
required:
- meta
- data
properties:
meta:
"$ref": "../../../../common/Meta.yaml"
data:
"$ref": "./V2KeysRerollKeyResponseData.yaml"
examples:
rerollKey:
summary: Key rerolled successfully
description: Successfully rerolled a key
value:
meta:
requestId: req_abc123def456
data:
keyId: key_2cGKbMxRyIzhCxo1Idjz8q
key: prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT
Loading
Loading