> ## Documentation Index
> Fetch the complete documentation index at: https://docs.easycred.co.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential Rotation

> Rotate your API key and signing secret without breaking live integrations using EASYCRED's 7-day grace period.

## Overview

EASYCRED supports **zero-downtime credential rotation** for live integrations. When you rotate your API credentials, the old credentials remain valid for a **7-day grace period** — giving you time to update your systems without any service interruption.

***

## Rotation Process

<Steps>
  <Step title="Request Rotation">
    Contact your EASYCRED admin or relationship manager to initiate a credential rotation. The admin triggers the rotation from the EASYCRED admin console.
  </Step>

  <Step title="New Credentials Issued">
    New credentials are generated and delivered to you securely. Both the new `apiKey` and new `signingSecret` are issued simultaneously.

    <Warning>
      Store the new credentials immediately — they are shown **only once** and cannot be retrieved later.
    </Warning>
  </Step>

  <Step title="Grace Period Begins (7 days)">
    The old credentials enter a **grace period**. During this window, the API gateway accepts requests signed with **either** the old or the new credentials.
  </Step>

  <Step title="Update Your Systems">
    Update your secret manager, environment variables, and any services using the old credentials to use the new ones. You have 7 days to complete this.
  </Step>

  <Step title="Old Credentials Expire">
    After 7 days, the grace period ends and the old credentials are permanently invalidated. Any requests using the old credentials will receive `401 Unauthorized`.
  </Step>
</Steps>

***

## Dual Validation Window

During the grace period, the gateway performs dual validation:

```text theme={null}
Incoming Request
      │
      ├── Valid with new credentials?  →  ✓ Accept
      │
      └── Valid with old credentials (within 7-day grace)?  →  ✓ Accept
```

<Info>
  This means you can deploy your updated credentials to services gradually — no coordinated cutover required.
</Info>

***

## Best Practices

<AccordionGroup>
  <Accordion title="Rotate on Suspected Compromise" icon="shield-alert">
    If you believe your credentials have been leaked or exposed, **request an emergency rotation immediately**. Contact your EASYCRED onboarding manager — do not wait for the scheduled rotation cycle.
  </Accordion>

  <Accordion title="Use a Secret Manager" icon="vault">
    Store credentials in a proper secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager). This makes rotation easier — you update the secret in one place and all services pick it up automatically.
  </Accordion>

  <Accordion title="Test New Credentials Before Cutover" icon="flask">
    Make a test request with your new credentials before decommissioning the old ones. Confirm the signature is valid and the response is `200` before updating all services.
  </Accordion>

  <Accordion title="Never Log Full Credentials" icon="eye-off">
    Even during debugging, log only the **first 8 characters** of the `apiKey` prefix (e.g., `ec_live_a1b2c3d4`). Never log the `signingSecret` at all.
  </Accordion>
</AccordionGroup>

***

## Rotation Timeline

| Day     | State                                                          |
| ------- | -------------------------------------------------------------- |
| Day 0   | Rotation triggered — new credentials issued                    |
| Day 0–7 | **Grace period** — both old and new credentials accepted       |
| Day 7+  | Grace period expires — old credentials permanently invalidated |
