How do I rotate my API key?

How do I rotate my API key if it's been exposed or I just want to cycle it?

Unison has no single "rotate" call — rotation is just mint a new key, switch to it, then revoke the old one. Your brain data is unaffected: it's stored against your account and workspace, not the key. Keys are managed under /v1/auth/keys.

Rotation flow

1. Mint a new key. The token is shown once — capture it.

curl -X POST https://brain.unisonlabs.ai/v1/auth/keys \
  -H "Authorization: Bearer $UNISON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"ci-2026-06"}'
# → { "id": "key_...", "token": "usk_live_...", ... }

Or with the CLI: unison auth keys create --name ci-2026-06.

2. Roll the new key out everywhere the old one is used — CI secret stores (GitHub Actions, Doppler…), .env files, deployed services — and confirm it works:

curl 'https://brain.unisonlabs.ai/v1/brain/context?q=test' \
  -H "Authorization: Bearer $NEW_UNISON_TOKEN"

3. Revoke the old key once nothing uses it:

curl -X DELETE https://brain.unisonlabs.ai/v1/auth/keys/$OLD_KEY_ID \
  -H "Authorization: Bearer $NEW_UNISON_TOKEN"

Or: unison auth keys revoke <id>. List your keys to find the id: unison auth keys (or GET /v1/auth/keys).

Zero downtime

Because the old and new keys are valid simultaneously until you revoke, there's no outage window — roll the new key out first, verify, then revoke. This is the safe default for high-traffic services.

If you lost the key entirely

If you can't authenticate to mint a new key, use the recovery flow: I lost my API key.