Developer Documentation
API Key Rotation
Rotate your FundraiserMax API keys with zero downtime using grace periods. Keep your integrations secure with regular key rotation.
Key Rotation
Regular key rotation is a security best practice. FundraiserMax supports zero-downtime rotation with a configurable grace period during which both the old and new secrets are accepted.
How It Works
- Call the rotation endpoint to generate a new secret. The old secret enters a grace period (default 24 hours) and continues to work alongside the new one.
- Update all of your applications and integrations to use the new secret.
- Once the grace period expires, the old secret is permanently invalidated. Only the new secret will be accepted.
Rotation Endpoint
POST/api/v1/api-keys/:id/rotate
Rotate the secret for an existing API key. Returns the new secret (shown only once) and the grace period expiry timestamp.
| Name | Type | Required | Description |
|---|---|---|---|
id | string | Yes | The API key ID to rotate (path parameter). |
gracePeriodHours | number | No | Hours the old secret remains valid. Defaults to 24. Max 168 (7 days). |
curl -X POST "https://api.fundraisermax.com/api/v1/api-keys/fmx_your_key_id/rotate" \
-H "X-API-Key: fmx_your_key_id" \
-H "Authorization: Bearer your_current_secret" \
-H "Content-Type: application/json" \
-d '{"gracePeriodHours": 48}'{
"newSecret": "fmxs_new_secret_value",
"gracePeriodEnds": "2026-02-18T12:00:00Z",
"message": "Old secret will remain valid until the grace period ends."
}Tip: Set up automated rotation on a schedule (e.g., every 90 days) and use the grace period to deploy updated secrets without downtime.