> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate Key

> Rotates a cryptographic key, creating a new key and disabling the old one. Optionally specify a new algorithm for the rotated key.

Rotates a signing key by creating a new key and marking the previous key as rotated. Existing attestations signed with the old key remain valid, but new attestations will use the new key.

### Parameters

<ParamField path="kid" type="string" required>
  The key identifier of the key to rotate
</ParamField>

<ParamField body="new_kid" type="string" required>
  The key identifier for the new replacement key
</ParamField>

<ParamField body="new_public_key_b64url" type="string" required>
  The base64url-encoded public key for the new key
</ParamField>

<ParamField body="alg" type="string" required>
  Cryptographic algorithm (must match original key)
</ParamField>

### Responses


## OpenAPI

````yaml mint-openapi.yaml POST /v1/issuers/keys/{kid}/rotate
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/issuers/keys/{kid}/rotate:
    post:
      tags:
        - Keys
      summary: Rotate Issuer Key
      description: >-
        Rotates a cryptographic key, creating a new key and disabling the old
        one. Optionally specify a new algorithm for the rotated key.
      parameters:
        - name: kid
          in: path
          required: true
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                alg:
                  $ref: '#/components/schemas/SigningAlgorithm'
                  description: >-
                    Algorithm for the new rotated key. Defaults to the same
                    algorithm as the existing key.
      responses:
        '200':
          description: Key rotated
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Key'
      security:
        - APIKey: []
components:
  schemas:
    SigningAlgorithm:
      type: string
      enum:
        - Ed25519
        - ES256
        - ES384
        - ES512
        - RS256
        - RS384
        - RS512
        - PS256
        - PS384
        - PS512
      description: Signing algorithm for key generation
    Key:
      type: object
      properties:
        kid:
          type: string
          description: Key identifier
        issuer_id:
          type: string
          format: uuid
        algorithm:
          $ref: '#/components/schemas/SigningAlgorithm'
        public_key:
          type: string
          description: Base64-encoded public key
        status:
          type: string
          enum:
            - ACTIVE
            - DISABLED
            - EXPIRED
        not_before:
          type: string
          format: date-time
        expires_at:
          type: string
          format: date-time
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````