Skip to content

Additional Secrets

In addition to the primary secret key, each sitekey supports additional secrets. These are useful when you need to:

  • Rotate your secret key without downtime (generate a new secret, update your server, then remove the old one)
  • Use different secrets for different server environments (e.g. multiple backend services verifying the same sitekey)

Viewing additional secrets

Go to the Dashboard, find the sitekey in the list, and click Details/HowTo. The Additional Secrets table is shown below the primary key fields and lists all active additional secrets with their label, expiry date, and actions.

Sitekey Details tab showing Additional Secrets section

Adding a secret

  1. Open the Details tab of the sitekey.
  2. Click Create Secret.
  3. Optionally enter a Label (e.g. "Rotation key 2") and an Expiry date.
  4. Click Create.

The new secret appears in the table. It is masked by default — click the visibility icon to reveal it, or the copy icon to copy it to the clipboard.

All active secrets (primary + additional) are valid for token verification simultaneously. There is no need to redeploy when adding a new secret.

Removing a secret

Click the Delete button next to the secret you want to remove. A confirmation dialog appears — confirm to permanently delete the secret.

Remove secrets only after updating your server

Removing a secret that is currently in use by a server will cause verification requests using that secret to fail immediately. Update your server configuration to use a different secret before removing the old one.

Key rotation procedure

  1. Add a new additional secret.
  2. Update your server(s) to use the new secret for verification requests.
  3. Wait until all in-flight requests using the old secret have completed.
  4. Remove the old secret.