Skip to main content

Overview

EASYCRED supports zero-downtime credential rotation for live integrations. When you rotate your API credentials, the old credentials remain valid for a 7-day grace period — giving you time to update your systems without any service interruption.

Rotation Process

1

Request Rotation

Contact your EASYCRED admin or relationship manager to initiate a credential rotation. The admin triggers the rotation from the EASYCRED admin console.
2

New Credentials Issued

New credentials are generated and delivered to you securely. Both the new apiKey and new signingSecret are issued simultaneously.
Store the new credentials immediately — they are shown only once and cannot be retrieved later.
3

Grace Period Begins (7 days)

The old credentials enter a grace period. During this window, the API gateway accepts requests signed with either the old or the new credentials.
4

Update Your Systems

Update your secret manager, environment variables, and any services using the old credentials to use the new ones. You have 7 days to complete this.
5

Old Credentials Expire

After 7 days, the grace period ends and the old credentials are permanently invalidated. Any requests using the old credentials will receive 401 Unauthorized.

Dual Validation Window

During the grace period, the gateway performs dual validation:
Incoming Request

      ├── Valid with new credentials?  →  ✓ Accept

      └── Valid with old credentials (within 7-day grace)?  →  ✓ Accept
This means you can deploy your updated credentials to services gradually — no coordinated cutover required.

Best Practices

If you believe your credentials have been leaked or exposed, request an emergency rotation immediately. Contact your EASYCRED onboarding manager — do not wait for the scheduled rotation cycle.
Store credentials in a proper secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). This makes rotation easier — you update the secret in one place and all services pick it up automatically.
Make a test request with your new credentials before decommissioning the old ones. Confirm the signature is valid and the response is 200 before updating all services.
Even during debugging, log only the first 8 characters of the apiKey prefix (e.g., ec_live_a1b2c3d4). Never log the signingSecret at all.

Rotation Timeline

DayState
Day 0Rotation triggered — new credentials issued
Day 0–7Grace period — both old and new credentials accepted
Day 7+Grace period expires — old credentials permanently invalidated