Recommended lifecycle for inference API keys (create, rotate, and revoke in the console).

Create

  1. Create an inference key per tenant; name by use case (prod-backend, test-backend).
  2. Store in a secret manager immediately; avoid long-lived plaintext in chat/email.
  3. Run First request to verify connectivity before routing production traffic.

Day-to-day

  • One key per service for easier revocation and audit.
  • Configure IP allow lists when offered (Network and access).
  • Alert on 401/403 spikes.

Rotation

Use an overlap window:

  1. Create key B; deploy B to all instances and verify traffic.
  2. After 24–72h with no traffic on key A, disable A.
  3. Delete or archive A per compliance policy.

Avoid deleting the old key before the new key is live everywhere.

Disable and delete

  • Disable: auth fails immediately — use for suspected leak or offboarding.
  • Delete: irreversible; confirm no dependencies.

Leak response

  1. Disable the suspected key immediately.
  2. Issue a new key and roll all services.
  3. Review usage anomalies and source IPs in the console.
  4. Post-mortem: logs, front-end bundles, public repos.

Related