Rotate Vultr user API keys with admin access to maintain security and avoid downtime.
Regularly rotating API keys is a critical security practice that reduces the risk of unauthorized access. A safe rotation process ensures your workloads keep running without downtime while you replace old keys with new ones.
Follow this guide to rotate a specific user's API key using the Vultr Customer Portal or the Vultr API.
Send a GET request to the Get Users endpoint to list all users.
$ curl "https://api.vultr.com/v2/users" \
-X GET \
-H "Authorization: Bearer ${VULTR_API_KEY}"
Note the id of the user whose API key you want to rotate.
Send a POST request to the Create User API Key endpoint to generate a new key for that user.
$ curl "https://api.vultr.com/v2/users/{user-id}/apikeys" \
-X POST \
-H "Authorization: Bearer ${VULTR_API_KEY}" \
-H "Content-Type: application/json" \
--data '{
"name": "<api-key-name>",
"expire": true,
"date_expire": "2030-01-01T00:00:00Z"
}'
The response includes the new API key in plain text. Copy and store it securely, as this is the only time you can view it.
Update your applications, scripts, and automation to use the new API key, then validate that they work correctly.
Send a GET request to the List User API Keys endpoint to view all keys for the user.
$ curl "https://api.vultr.com/v2/users/{user-id}/apikeys" \
-X GET \
-H "Authorization: Bearer ${VULTR_API_KEY}"
Identify the id of the old API key you want to remove.
Send a DELETE request to the Delete User API Key endpoint to delete the old key.
$ curl "https://api.vultr.com/v2/users/{user-id}/apikeys/{apikey-id}" \
-X DELETE \
-H "Authorization: Bearer ${VULTR_API_KEY}"
The response returns 204 No Content to confirm successful deletion.
Send another GET request to the List User API Keys endpoint to verify that the old key no longer appears in the response.
$ curl "https://api.vultr.com/v2/users/{user-id}/apikeys" \
-X GET \
-H "Authorization: Bearer ${VULTR_API_KEY}"