Editing the scopes on an existing key
Change a key's permissions without rotating the secret.
You do not have to throw away an API key to change what it can do. Open the key's row on the API keys page, press the pencil-edit button next to the scope list, tick or untick scopes, and save.
The secret string does not change. Your existing code keeps working; you do not have to redeploy.
When you broaden a key (add a scope)¶
Adding a scope makes the key more powerful, so we ask you to confirm twice and re-enter your password. Both events are recorded in the key's audit log with the previous and new scope sets, your IP, and the timestamp.
We also email the key owner whenever scopes change, so you find out right away if someone you do not expect is editing your keys.
When you narrow a key (remove a scope)¶
Removing a scope is safer, so we do not require a password re-prompt. We still log it.
When to rotate instead¶
Rotate (not edit) when:
- You think the secret leaked. Editing scopes does not invalidate the key; rotation does.
- You want a fresh audit trail and a new last-used baseline.
- Compliance rules require periodic rotation regardless of usage.
What if I want both?¶
Edit the scopes first, save, then rotate. The audit log will show both events in order.