Skip to main content
POST
/
v1
/
issuers
/
keys
/
{kid}
/
rotate
Rotate Issuer Key
curl --request POST \
  --url https://api.truthlocks.com/v1/issuers/keys/{kid}/rotate \
  --header 'X-API-Key: <api-key>'
{
  "old_key": {
    "kid": "ed-key-1",
    "status": "rotated",
    "rotated_at": "2026-02-18T19:00:00Z"
  },
  "new_key": {
    "kid": "ed-key-2",
    "status": "active",
    "alg": "Ed25519",
    "created_at": "2026-02-18T19:00:00Z"
  }
}
Rotates a signing key by creating a new key and marking the previous key as rotated. Existing attestations signed with the old key remain valid, but new attestations will use the new key.

Parameters

kid
string
required
The key identifier of the key to rotate
new_kid
string
required
The key identifier for the new replacement key
new_public_key_b64url
string
required
The base64url-encoded public key for the new key
alg
string
required
Cryptographic algorithm (must match original key)

Responses

{
  "old_key": {
    "kid": "ed-key-1",
    "status": "rotated",
    "rotated_at": "2026-02-18T19:00:00Z"
  },
  "new_key": {
    "kid": "ed-key-2",
    "status": "active",
    "alg": "Ed25519",
    "created_at": "2026-02-18T19:00:00Z"
  }
}

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Path Parameters

kid
string
required

Response

200 - application/json

Key rotated

kid
string

Key identifier

issuer_id
string<uuid>
algorithm
enum<string>
Available options:
Ed25519
public_key
string

Base64-encoded public key

status
enum<string>
Available options:
ACTIVE,
DISABLED,
EXPIRED
not_before
string<date-time>
expires_at
string<date-time>