POST /v1/projects/{project}/scoring/rotate
Rotate a project's site key or private key. The old key is invalidated immediately and a new one is returned.
curl -X POST https://api.botect.ai/v1/projects/123/scoring/rotate \
-H "Authorization: Bearer YOUR_ACCOUNT_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "type": "private" }'
const res = await fetch('https://api.botect.ai/v1/projects/123/scoring/rotate', {
method: 'POST',
headers: {
Authorization: `Bearer ${process.env.BOTECT_TOKEN}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({ type: 'private' }),
});
const { key } = await res.json();
import os, requests
r = requests.post(
"https://api.botect.ai/v1/projects/123/scoring/rotate",
headers={"Authorization": f"Bearer {os.environ['BOTECT_TOKEN']}"},
json={"type": "private"},
)
key = r.json()["key"]
{
"type": "private",
"key": "sk_7dN…"
}
Issues a fresh site key or private key for a project and invalidates the previous one immediately — use it after a suspected leak, or to retrieve a private key you didn't store. Scoring must already be enabled.
POST https://api.botect.ai/v1/projects/{project}/scoring/rotate
Authentication
Account API token via Authorization: Bearer <token>. The project must belong to the token's account. See Authentication.
Path parameters
The project ID.
Body
Which key to rotate: site or private.
Example
Response fields
The key type that was rotated (site or private).
The new key. For private, this is your only chance to capture it.
Rotation is immediate: in-flight requests using the old key start failing with 401 as soon as the new key is issued. Deploy the new key before (or as) you rotate.
Errors
| Status | code | When |
|---|---|---|
401 | UNAUTHENTICATED | Missing / bad account token |
403 | — | Project does not belong to the token's account |
409 | — | Scoring is not enabled — enable it first |
422 | INVALID_PAYLOAD | type missing or not site/private |