Overview
Generates a new API key for your platform. The old key is immediately invalidated.
This action cannot be undone! Your old API key will stop working immediately. Update all services using the old key before regenerating.
Authentication
Requires Platform API Key in the X-API-Key header (the old key you’re replacing).
Request
POST https://api.syncline.run/v1/platform/regenerate-key
Response
{
"success": true,
"api_key": "sk_live_new_abc123xyz789...",
"message": "API key regenerated successfully. Save this key - it won't be shown again!"
}
Always true on successful regeneration
Your new API key. Save this immediately - it will never be shown again.
Important reminder to save the key
When to Regenerate
Security Breach
If your API key is exposed (committed to git, leaked in logs, etc.):
// Immediately regenerate
const response = await fetch('https://api.syncline.run/v1/platform/regenerate-key', {
method: 'POST',
headers: {
'X-API-Key': process.env.OLD_SYNCLINE_API_KEY
}
});
const { api_key } = await response.json();
// Update environment variable immediately
console.log('New API Key:', api_key);
console.log('Update your environment variable NOW');
Regular Rotation
Rotate keys every 90 days as a security best practice:
// Scheduled key rotation
async function rotateAPIKey() {
console.log('Rotating Syncline API key...');
// 1. Generate new key
const { api_key } = await regenerateKey();
// 2. Update secrets manager
await updateSecret('SYNCLINE_API_KEY', api_key);
// 3. Deploy services with new key
await deployServices();
// 4. Verify new key works
await testNewKey(api_key);
console.log('✓ API key rotated successfully');
}
// Run every 90 days
schedule.every('90 days').do(rotateAPIKey);
Employee Offboarding
When team members leave who had access to the key:
async function offboardEmployee(employeeName) {
console.log(`Offboarding ${employeeName}...`);
// Regenerate all API keys they had access to
await regenerateKey();
// Update documentation
await notifyTeam(`API keys rotated after ${employeeName} departure`);
console.log('✓ Keys rotated');
}
Zero-Downtime Rotation
For critical production systems, use this pattern:
async function rotateKeyWithZeroDowntime() {
const oldKey = process.env.SYNCLINE_API_KEY;
// 1. Generate new key
const { api_key: newKey } = await regenerateKey();
// 2. Update secrets manager
await secretsManager.updateSecret('SYNCLINE_API_KEY', newKey);
// 3. Gradually roll out new key to services
await rollingDeploy({
updateEnvVar: { SYNCLINE_API_KEY: newKey },
strategy: 'blue-green', // Deploy to new instances first
healthCheck: async () => {
// Verify new key works
const response = await fetch('https://api.syncline.run/v1/platform/dashboard', {
headers: { 'X-API-Key': newKey }
});
return response.ok;
}
});
console.log('✓ Zero-downtime rotation complete');
}
Best Practices
const { api_key } = await regenerateKey();
// Bad: Not saving the key
console.log('Key regenerated!');
// ❌ You just lost access to your account!
// Good: Save to secrets manager immediately
await secretsManager.set('SYNCLINE_API_KEY', api_key);
await notifyTeam('New API key saved to secrets manager');
Update All Services
async function regenerateAndUpdate() {
const { api_key } = await regenerateKey();
// Update all services that use the key
const services = [
'production-api',
'staging-api',
'cron-jobs',
'background-workers'
];
for (const service of services) {
await updateServiceSecret(service, 'SYNCLINE_API_KEY', api_key);
}
// Verify all services are healthy
for (const service of services) {
const healthy = await checkServiceHealth(service);
if (!healthy) {
throw new Error(`Service ${service} failed after key rotation!`);
}
}
console.log('✓ All services updated successfully');
}
Test Before Deploying
async function regenerateWithTesting() {
// Generate new key
const { api_key } = await regenerateKey();
// Test new key works
try {
const response = await fetch('https://api.syncline.run/v1/platform/dashboard', {
headers: { 'X-API-Key': api_key }
});
if (!response.ok) {
throw new Error('New key not working!');
}
console.log('✓ New key verified');
} catch (error) {
console.error('❌ New key test failed:', error);
throw error;
}
// Deploy only after verification
await deployNewKey(api_key);
}
Keep Audit Trail
async function regenerateWithAudit() {
const { api_key } = await regenerateKey();
// Log rotation event
await auditLog.create({
event: 'api_key_rotated',
timestamp: new Date(),
rotated_by: currentUser.email,
reason: 'Scheduled 90-day rotation',
old_key_prefix: oldKey.substring(0, 12),
new_key_prefix: api_key.substring(0, 12)
});
// Notify team
await slack.send({
channel: '#security',
message: `🔑 Syncline API key rotated by ${currentUser.email}`
});
return api_key;
}
Error Responses
Invalid API Key
{
"error": "Unauthorized",
"message": "Invalid or missing API key"
}
Rate Limit
{
"error": "Too many regeneration attempts",
"message": "Please wait 1 hour between key regenerations"
}
Security Considerations
Never commit API keys to version control!Always use environment variables or secrets managers:
- AWS Secrets Manager
- Google Secret Manager
- HashiCorp Vault
- Environment variables in deployment platform
const oldKey = 'sk_live_old_abc123...';
// Regenerate
const { api_key: newKey } = await regenerateKey();
// Old key now INVALID
try {
await fetch('https://api.syncline.run/v1/platform/dashboard', {
headers: { 'X-API-Key': oldKey }
});
} catch (error) {
console.log('Old key no longer works ✓');
}
// New key works
await fetch('https://api.syncline.run/v1/platform/dashboard', {
headers: { 'X-API-Key': newKey }
}); // ✓ Success
No Grace Period
Unlike some services, there is no grace period where both keys work. Plan your rotation accordingly.
