Rotate an API key
Create a replacement key
Open the API application and choose Create replacement key. Nuvera returns a new one-time API key and marks existing active keys as expiring when a grace window is used.
Store the new key
Store the new key in the partner secret manager. Do not paste it into tickets, chat, docs, logs, proof artifacts, or screenshots.
Deploy the new key
Deploy the service with the new
x-api-key value while continuing to sign requests with the current private key.Verify production traffic
Confirm that successful REST requests are using the new key. Check last-used metadata in the application screen.
Rotate a signing key
Rotating the signing key changes the RSA key pair used for theAuthorization JWT.
- Generate a new RSA private/public key pair outside Nuvera or in the browser.
- Store the new private key in the partner key manager.
- Replace the application signing public key in Nuvera.
- Deploy the service with the matching private key.
- Send a signed test request and verify success.
- Remove the old private key from service configuration after rollout.
Emergency disablement
If a partner service is compromised, disable the API application from the partner app or ask a Nuvera admin to disable it from the organization hub. A disabled application rejects authentication even when the API key and JWT are otherwise valid.Audit and rollback expectations
Application creation, permission changes, enabled/disabled state changes, signing-key replacements, key creation, expiring-key updates, and key revocations are recorded in audit history. For rollback:- If the new key is bad and the old key is still active or expiring, switch service configuration back to the old key and investigate.
- If the old key was revoked, create another replacement key and deploy it.
- If the signing key was replaced with the wrong public key, replace it again with the public key matching the private key currently deployed by the service.