Rotating a key
Replace a leaked key without taking your widget offline.
A leaked publishable key isn't a disaster — it can only fetch your widget config and submit leads with valid GDPR consent. Still, if a key is misbehaving (spam leads, scraping your config), rotate it.
The zero-downtime rotation
- Open API keys. Note the key you want to retire.
- Click New key with the same allowlist as the old one.
- Copy the new publishable key.
- Update the embed snippet on your site to use the new key. Push to production.
- Wait until the old key's last used at stops advancing — usually a few minutes after deploy, allowing for browser caching.
- Back in the dashboard, click Revoke on the old key.
During steps 4–5, both keys work. As soon as you revoke the old key, any cached page with the
old data-key will silently fail. The widget shows an error: "This configurator
isn't authorised on this domain."
If you suspect abuse
Skip the graceful rotation. Revoke immediately. The widget breaks for in-flight users on cached pages, but you stop the abuse instantly. Then create a new key and update your snippet.
Rotating a secret key
Same flow:
- Generate a new secret key (this is the only time you'll see the full string — copy it).
- Update
INNKEPT_SECRET_KEYin your env vars. - Deploy.
- Confirm requests are succeeding with the new key.
- Revoke the old key.
What "revoke" actually does
Revoking sets is_active = false. The key still exists in the database (so the
audit trail is preserved) but every request authenticated with it returns
401 Unauthorised. The dashboard hides revoked keys by default — toggle the
Show revoked filter to see them.
We never auto-rotate. Some platforms force key rotation every N days. That just trains people to deploy under pressure. We'd rather you rotate when there's a reason and never otherwise.
Something missing or wrong? Tell us.
Updated regularly. UK English. No AI slop.