# API Key Expiration Policy Administrators can enforce API key rotation by configuring expiration policies. When enabled, API keys automatically expire after a defined lifespan, requiring users to create replacement keys periodically. ## How Expiration Works - Expiration is determined **at key creation time** based on the active policy settings. - Once an API key is created, its expiration date cannot be changed. - Changes to expiration policy settings do **not** apply retroactively to existing keys. - Expired keys are never automatically deleted — they remain visible in the API Keys portal with an "Expired" status for audit and tracking purposes. - Authentication attempts with an expired key will fail with a clear error message. ## Configuration Levels Expiration policies can be set at two levels: | Level | Configured by | Scope | | --- | --- | --- | | **System (global)** | Account administrators | Applies as the default for all users in the account | | **User** | Account administrators | Overrides the system-level setting for the current administrator or other non-administrator user's keys | ## Available Expiration Options - Never Expire (default) - Custom (1–365 days) The system-level default is "Never Expire." Existing API keys created before an expiration policy is configured retain their original "Never Expire" behavior. To enforce expiration on an account, users must create new API keys after the policy is set. ## Configuring System-Level Expiration 1. Navigate to **Control Panel** > **Security** > **API Keys**. 2. Under **Key Lifespan**, select the desired default expiration period. 3. Save the configuration. All new API keys created by users in the account will inherit this expiration period unless the user has received a setting override from an administrator. ## Configuring User-Level Expiration 1. Navigate to **Control Panel** > **Security** > **Users** > **Details** > **API Keys**. 2. Under **Key Lifespan**, select your preferred expiration period. 3. Save the configuration. The user-level setting overrides the system-level default. All new API keys created by that user will apply the user-level expiration period. ## Best Practices - **Enable expiration policies** to enforce regular key rotation and reduce the risk of compromised long-lived credentials. - **Coordinate key rotation** with your team to ensure automations and workflows are updated before keys expire. - **Use Write-only keys** for ingestion and third-party integrations to limit exposure. ## FAQ **What happens to existing keys when I enable an expiration policy?** Existing keys are not affected. The expiration policy only applies to newly created keys. Users must create new keys to have the expiration enforced. **Can I extend or change the expiration date of an existing key?** No. Once a key is created, its expiration date is fixed and cannot be modified. To get a key with a different expiration, create a new one. **Does expiration apply to Write-only keys?** Yes. Expiration policies apply equally to both Master and Write-only API keys. **Can administrators override a stricter system-level policy with a longer expiration for an individual user?** Yes. User-level settings override system-level settings. Only administrators can configure these settings.