Key rotation strategy
Rotating Meridian API keys on a regular cadence limits blast radius when a key leaks, satisfies SOC 2 controls, and lets you revoke compromised credentials without downtime. This recipe walks through a zero-downtime rotation pattern using overlapping keys.
1.Provision an overlap window
Create the replacement key in the Meridian dashboard before retiring the existing one. Both keys remain valid for the duration of your rollout, which prevents in-flight requests from failing during deploys. We recommend a 24-72 hour overlap for production fleets.
curl -X POST https://api.meridian.dev/v1/keys \
-H "Authorization: Bearer $MERIDIAN_ADMIN_KEY" \
-d '{"label":"prod-2026-q3","expires_in":"72h"}'2.Roll deployments to the new key
Push the new key into your secrets manager (Vault, AWS Secrets Manager, Doppler) and trigger a rolling restart of every service that holds the credential. Watch your Meridian dashboard for the per-key usage counter on the new key to rise as the old key falls toward zero.
If a workload is still issuing requests with the old key after the rollout completes, that is your signal that a deployment was missed. Do not revoke the old key until the old-key usage counter has been flat at zero for at least one full traffic cycle.
3.Revoke and audit
Once the old key has zero traffic, revoke it explicitly rather than letting it lapse. Explicit revocation produces an audit log entry tied to an operator identity, which is what your compliance reviewer wants to see.
curl -X DELETE https://api.meridian.dev/v1/keys/key_abc123 \
-H "Authorization: Bearer $MERIDIAN_ADMIN_KEY"Automate it
Schedule the three steps above as a quarterly job in your CI. Meridian sends a webhook 14 days before any key's scheduled expiry so the rotation kicks off without human intervention.