All Docs
FeaturesDepositClearUpdated March 13, 2026

API Key Expiry Notifications

API Key Expiry Notifications

To help keep your integrations secure and uninterrupted, the platform automatically monitors the expiry status of all API keys and notifies organisation admins via in-app notifications.

How It Works

A scheduled workflow runs every day at 07:30 UTC. It checks all API keys that have an expiry date set and are not yet revoked, then generates in-app notifications based on the following rules:

Warning: Key Expiring Soon

If an API key's expiresAt date falls within the next 14 days, all admins in the owning organisation receive an in-app warning notification.

  • This gives your team a two-week window to rotate the key before it expires.
  • The notification is generated once per daily sweep for each qualifying key.

Error: Key Already Expired

If an API key's expiresAt date has already passed and the key has not been revoked, all admins in the owning organisation receive an in-app error notification prompting immediate rotation.

  • This catches any keys that were not proactively rotated before their expiry date.
  • Notifications continue to appear on each daily sweep until the key is revoked or replaced.

Who Receives Notifications

Notifications are sent to all organisation admins (org_members with an admin role) within the organisation that owns the expiring or expired key. Standard members do not receive these alerts.

Notification Severity Reference

SituationSeverityRecommended Action
Key expires in 1–14 dayswarningRotate the key before the expiry date
Key expired, not yet revokederrorRotate and revoke the key immediately

Conditions Checked

The workflow only evaluates keys that meet all of the following criteria:

  • expiresAt IS NOT NULL — the key has an explicit expiry date
  • revokedAt IS NULL — the key has not already been revoked

Keys with no expiry date set or keys that are already revoked are excluded from the sweep.

Rotating an API Key

When you receive an expiry notification, navigate to your organisation's API key settings, generate a new key, update any integrations or services using the old key, then revoke the old key to stop further alerts.

Note: Revoking a key immediately stops it from appearing in future expiry sweeps. Always ensure your integrations are updated to the new key before revoking the old one.