Overview
EASYCRED supports zero-downtime credential rotation for live integrations. When you rotate your API credentials, the old credentials remain valid for a 7-day grace period — giving you time to update your systems without any service interruption.Rotation Process
Request Rotation
Contact your EASYCRED admin or relationship manager to initiate a credential rotation. The admin triggers the rotation from the EASYCRED admin console.
New Credentials Issued
New credentials are generated and delivered to you securely. Both the new
apiKey and new signingSecret are issued simultaneously.Grace Period Begins (7 days)
The old credentials enter a grace period. During this window, the API gateway accepts requests signed with either the old or the new credentials.
Update Your Systems
Update your secret manager, environment variables, and any services using the old credentials to use the new ones. You have 7 days to complete this.
Dual Validation Window
During the grace period, the gateway performs dual validation:This means you can deploy your updated credentials to services gradually — no coordinated cutover required.
Best Practices
Rotate on Suspected Compromise
Rotate on Suspected Compromise
If you believe your credentials have been leaked or exposed, request an emergency rotation immediately. Contact your EASYCRED onboarding manager — do not wait for the scheduled rotation cycle.
Use a Secret Manager
Use a Secret Manager
Store credentials in a proper secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). This makes rotation easier — you update the secret in one place and all services pick it up automatically.
Test New Credentials Before Cutover
Test New Credentials Before Cutover
Make a test request with your new credentials before decommissioning the old ones. Confirm the signature is valid and the response is
200 before updating all services.Never Log Full Credentials
Never Log Full Credentials
Even during debugging, log only the first 8 characters of the
apiKey prefix (e.g., ec_live_a1b2c3d4). Never log the signingSecret at all.Rotation Timeline
| Day | State |
|---|---|
| Day 0 | Rotation triggered — new credentials issued |
| Day 0–7 | Grace period — both old and new credentials accepted |
| Day 7+ | Grace period expires — old credentials permanently invalidated |