Skip to main content
POST
/
v1
/
issuers
/
keys
/
{kid}
/
rotate
Rotate Issuer Key
curl --request POST \
  --url https://api.truthlocks.com/v1/issuers/keys/{kid}/rotate \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '{}'
{
  "kid": "<string>",
  "issuer_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "public_key": "<string>",
  "not_before": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}
Rotates a signing key by creating a new key and marking the previous key as rotated. Existing attestations signed with the old key remain valid, but new attestations will use the new key.

Parameters

kid
string
required
The key identifier of the key to rotate
new_kid
string
required
The key identifier for the new replacement key
new_public_key_b64url
string
required
The base64url-encoded public key for the new key
alg
string
required
Cryptographic algorithm (must match original key)

Responses

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Path Parameters

kid
string
required

Body

application/json
alg
enum<string>

Algorithm for the new rotated key. Defaults to the same algorithm as the existing key.

Available options:
Ed25519,
ES256,
ES384,
ES512,
RS256,
RS384,
RS512,
PS256,
PS384,
PS512

Response

200 - application/json

Key rotated

kid
string

Key identifier

issuer_id
string<uuid>
algorithm
enum<string>

Signing algorithm for key generation

Available options:
Ed25519,
ES256,
ES384,
ES512,
RS256,
RS384,
RS512,
PS256,
PS384,
PS512
public_key
string

Base64-encoded public key

status
enum<string>
Available options:
ACTIVE,
DISABLED,
EXPIRED
not_before
string<date-time>
expires_at
string<date-time>