Recipe 22 — API key rotation (zero-downtime)
Status: ⏸ Coming M6+ TZ reference: TZ-10 lines 248-251 (API-key format
cag_live_<24>_<8>)
Day-0 the API issues JWT via a dev helper. The cag_live_* API-key
infrastructure (issuance + rotation + management UI) is in M6+ Public
Beta scope. The SDK already accepts both shapes — server discriminates
on the prefix.
When the API-key surface lands the SDK will gain:
client.api_keys.list()— list active keys for the authed userclient.api_keys.create(name=..., scopes=[...])— mint a new keyclient.api_keys.rotate(key_id=...)— issue a successor key (old key remains valid for a 7-day grace window per TZ-10)client.api_keys.revoke(key_id=...)— invalidate immediately
Zero-downtime rotation pattern: create new key → update consumers → revoke old after grace window. Recipe 25 covers OAuth migration.