Skip to main content

Torq API Key Rotation: Full Replacement vs. Expiration Update

Learn how to manage Torq API keys securely by choosing between full key replacement and expiration updates.

Updated yesterday

Overview

Understand API key behavior

Torq API keys are immutable credential pairs. When a key is created, Torq generates a Client ID and Client Secret together, and neither value can be updated independently.

Because of this, API key management supports only two approaches:

  • Full replacement: Create a new key pair and remove the old one. This generates new credentials and requires updating all dependent integrations.

  • Expiration update: Extend or modify the validity of the existing key. This keeps the current credentials and requires no integration changes.

Choose the appropriate approach based on your security requirements and operational needs.

Choose the right approach

Use full replacement when the credential may be compromised or must be fully rotated. Use expiration update when the key remains trusted and only its validity window needs adjustment.

When to use full replacement

  • Compromise suspected: The Client ID or Client Secret may be exposed.

  • Immediate invalidation required: The existing key must be revoked regardless of expiration.

  • Strict rotation policy: Full credential replacement is required.

When to use expiration update

  • Key is secure: No compromise is suspected.

  • Expiration needs adjustment: Extend or correct validity period.

  • Lifecycle management: Maintain the same credentials under a renewal policy.

How to use

Replace the full API key pair

Replace the entire key pair to ensure no part of the previous credential remains active.

Replace the key manually

  1. Open API Keys: Click your user icon and select API Keys.

  2. Create key: Click Create API Key, enter a name, set expiration, and choose Service if needed.

  3. Copy credentials: Copy the Client ID and Client Secret immediately (the secret is shown once).

  4. Update integrations: Replace old credentials in all dependent integrations.

  5. Validate integrations: Ensure all integrations work with the new key.

  6. Delete old key: Remove the old key from the API Keys page.

Replace the key programmatically

  1. Create API key: Add the Create a Service API Key step to the workflow to generate new credentials.

  2. Update integrations: Update each integration with the new Client ID and Client Secret.

  3. Delete the old key: After validation, delete the old key manually via the UI.

The Create a Service API Key step requires the Owner role.

Update the API key expiration date

Update the expiration date to extend or adjust the key’s validity without replacing it.

Update expiration manually

  1. Open API Keys: Click your user icon and select API Keys.

  2. Edit key: Select the key and click Edit.

  3. Set expiration: Choose a predefined date or use the calendar.

  4. Save changes: Apply the update immediately.

Update expiration programmatically

This approach is useful for automated lifecycle management at scale.

  • Use workflow step: Use the Set API Key Expiration step to update validity without UI interaction.

Related Articles
Azure Key Vault
Integrate External Secret Stores with Torq for Enhanced Security
Create a Torq API key: Enable programmatic access
Torq
Google SecOps Response
Did this answer your question?