EnglishLimits and securityAPI key rotation

API key rotation

Good credential hygiene requires periodic rotation.

Procedure

  1. Create a new key in the dashboard, under Devices / API keys. The secret appears only once.
  2. Update the environment variable in your application (INFI_API_KEY).
  3. Deploy. Wait for all processes to read the new key.
  4. Revoke the old key in the dashboard.

When to rotate

  • On a regular schedule (e.g., quarterly).
  • Immediately after any suspected exposure.
  • When someone with access leaves the team.
  • After changing cloud provider or secrets vault.

Multiple active keys

INFI allows up to 10 active keys simultaneously per account (default; adjustable on request). Use this for:

  • Zero-downtime rotation (overlap new and old during deploy).
  • Component separation (one key per microservice).
  • Isolating your internal environments (dev, staging, prod). But note: all requests use the same balance and count towards the same rate limit of the account.
Do not share with end customers

API keys are for systems you control. Never distribute them to mobile apps, frontends or end users.

Rate limitsErrors