Rotating Keys
transmute has no in-place rotate operation — rotation is create-new, deploy, revoke-old. The honest procedure, including what happens on revocation.
How rotation works here
There is deliberately no "rotate" button that swaps a key's secret in place. A transmute key is immutable from creation to revocation; rotation is a three-step overlap:
- Create a new key in the portal with the same environment and scopes (you have 20 slots, so an overlap never requires deleting first).
- Deploy the new key to your systems and confirm traffic flows (watch for
401s dropping to zero on the old key). - Revoke the old key in the portal.
Revocation is immediate — there is no grace period. The next request with a revoked key gets a uniform unauthorized 401. This is why the order above matters: revoke last, after the new key is verified in production.
If a key has leaked
Skip the overlap. Revoke the leaked key immediately, accept the brief outage, then create and deploy a replacement. An exposed key that can convert your payment traffic is worse than a few minutes of 401s.
Making rotations painless
- Name keys by system and generation:
worker-prod-2026a,worker-prod-2026b. The portal list then tells you at a glance which key is current. - One key per system. Rotating a shared key forces you to redeploy everything at once.
- Load the key from your secret manager at startup rather than baking it into images — then rotation is a secret update plus a restart, not a rebuild.
- Schedule it. Nothing in transmute forces rotation (portal keys never expire), so put it on your own calendar — quarterly is a common cadence for payment infrastructure.
OAuth alternative
If your security posture requires short-lived credentials as a rule, use OAuth client credentials instead of long-lived keys: tokens expire after 15 minutes, and revoking the client stops new tokens immediately (outstanding tokens live out their ≤15-minute lifetime).