innkept

Rotating a key

Replace a leaked key without taking your widget offline.

A leaked publishable key isn't a disaster — it can only fetch your widget config and submit leads with valid GDPR consent. Still, if a key is misbehaving (spam leads, scraping your config), rotate it.

The zero-downtime rotation

  1. Open API keys. Note the key you want to retire.
  2. Click New key with the same allowlist as the old one.
  3. Copy the new publishable key.
  4. Update the embed snippet on your site to use the new key. Push to production.
  5. Wait until the old key's last used at stops advancing — usually a few minutes after deploy, allowing for browser caching.
  6. Back in the dashboard, click Revoke on the old key.

During steps 4–5, both keys work. As soon as you revoke the old key, any cached page with the old data-key will silently fail. The widget shows an error: "This configurator isn't authorised on this domain."

If you suspect abuse

Skip the graceful rotation. Revoke immediately. The widget breaks for in-flight users on cached pages, but you stop the abuse instantly. Then create a new key and update your snippet.

Rotating a secret key

Same flow:

  1. Generate a new secret key (this is the only time you'll see the full string — copy it).
  2. Update INNKEPT_SECRET_KEY in your env vars.
  3. Deploy.
  4. Confirm requests are succeeding with the new key.
  5. Revoke the old key.

What "revoke" actually does

Revoking sets is_active = false. The key still exists in the database (so the audit trail is preserved) but every request authenticated with it returns 401 Unauthorised. The dashboard hides revoked keys by default — toggle the Show revoked filter to see them.

We never auto-rotate. Some platforms force key rotation every N days. That just trains people to deploy under pressure. We'd rather you rotate when there's a reason and never otherwise.

Something missing or wrong? Tell us.

Updated regularly. UK English. No AI slop.