Skip to main content
POST
/
v1
/
tenant
/
rotate-key
Rotate API Key
curl --request POST \
  --url https://api.aethercitadel.cloud/v1/tenant/rotate-key \
  --header 'X-Citadel-Key: <x-citadel-key>'
import requests

url = "https://api.aethercitadel.cloud/v1/tenant/rotate-key"

headers = {"X-Citadel-Key": "<x-citadel-key>"}

response = requests.post(url, headers=headers)

print(response.text)
const options = {method: 'POST', headers: {'X-Citadel-Key': '<x-citadel-key>'}};

fetch('https://api.aethercitadel.cloud/v1/tenant/rotate-key', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://api.aethercitadel.cloud/v1/tenant/rotate-key",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_HTTPHEADER => [
"X-Citadel-Key: <x-citadel-key>"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"net/http"
"io"
)

func main() {

url := "https://api.aethercitadel.cloud/v1/tenant/rotate-key"

req, _ := http.NewRequest("POST", url, nil)

req.Header.Add("X-Citadel-Key", "<x-citadel-key>")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://api.aethercitadel.cloud/v1/tenant/rotate-key")
.header("X-Citadel-Key", "<x-citadel-key>")
.asString();
require 'uri'
require 'net/http'

url = URI("https://api.aethercitadel.cloud/v1/tenant/rotate-key")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["X-Citadel-Key"] = '<x-citadel-key>'

response = http.request(request)
puts response.read_body
{
  "new_key": "<string>",
  "message": "<string>"
}

Overview

If your API key is compromised or you want to rotate it as a security practice, this endpoint generates a fresh key and immediately deactivates the old one.
Update all your services before you rotate. The old key stops working the instant you call this endpoint — there is no grace period.

Request

X-Citadel-Key
string
required
Your current Aether Citadel API key (ack_live_...). This key will be invalidated.
No request body required.

Response

new_key
string
Your new API key. Update all environments that use the old key.
message
string
Confirmation message reminding you to update your integration.

Example

curl -X POST https://api.aethercitadel.cloud/v1/tenant/rotate-key \
  -H "X-Citadel-Key: ack_live_YOUR_CURRENT_KEY"
{
  "new_key": "ack_live_d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8",
  "message": "Your old key is now invalid. Update your integration immediately."
}

Rotation Checklist

After rotating your key, update it in:
  • Server environment variables (.env, Kubernetes secrets, etc.)
  • CI/CD pipeline secrets
  • Any queued jobs or scheduled tasks that use the key
  • Partner integrations that call Citadel on your behalf

Error Responses

StatusErrorMeaning
401Missing X-Citadel-Key headerNo key provided
401Invalid or inactive API keyKey doesn’t exist or was already deactivated
503Multi-tenancy not configuredContact support