Key rotation

When you need to replace an API key — because it expired, was compromised, or you're rotating credentials as a security practice — cn2.ai supports zero-downtime rotation with a 5-minute overlap window.

How rotation works

1. Paste the new key. Go to Dashboard → Keys → [your key] → Rotate key. Enter the replacement API key.
2. Liveness check. cn2.ai verifies the new key works by sending a test request. The rotation cannot proceed until the new key passes.
3. 5-minute overlap. When you confirm, both the old and new keys become active simultaneously for 5 minutes. New incoming requests use the new key. Any ongoing streaming responses that started before the rotation continue on the old key until they complete.
4. Automatic promotion. After 5 minutes, the new key becomes the sole active key. The old key data is removed from cn2.ai.
5. Revoke the old key upstream. After rotation completes, revoke the old key in your API provider's dashboard. cn2.ai does not control upstream key revocation.

During the overlap window

• The dashboard shows a countdown timer
• Your key status changes to "rotating"
• New requests use the new key
• Active streaming responses (SSE) continue on the old key until they finish
• The overlap window is fixed at 5 minutes and cannot be changed

Notifications

If you have webhooks configured, you receive two events:

• key.rotation_started — when the overlap window begins
• key.rotation_complete — when the new key is promoted and the old key is removed