Rotating API tokens

This guide walks through a safe, zero-downtime token rotation. The ISA platform keeps the old token valid for 24 hours after you issue a new one — use that window to roll the new credential through your fleet.

When to rotate

Rotate immediately if:

• A token was exposed in logs, a repository, an error report, or a support ticket.
• An employee with access to the token leaves the organization.
• Your security policy requires periodic rotation (recommended: every 90 days for live tokens).

Step 1 — Issue the new token

Open dashboard.isaapi.com → API Keys → Rotate next to the token you want to replace.

The dashboard shows the new token once. Store it immediately in your secrets manager before closing the dialog.

The old token remains active. No requests are disrupted at this point.

Step 2 — Deploy the new token

Update the secret in every environment that uses the token:

# Example: AWS Secrets Manager
aws secretsmanager put-secret-value \
  --secret-id prod/isa-token \
  --secret-string "isa_live_<NEW_TOKEN>"

# Example: Heroku
heroku config:set ISA_TOKEN=isa_live_<NEW_TOKEN> --app your-app

# Example: Kubernetes secret
kubectl create secret generic isa-credentials \
  --from-literal=ISA_TOKEN=isa_live_<NEW_TOKEN> \
  --dry-run=client -o yaml | kubectl apply -f -

Then roll your deployment so the new token is live. With the 24-hour grace period, old pods serving the old token continue to work until they cycle out.

Step 3 — Verify the new token works

Make one test call before the old token expires:

curl -s -X POST https://zyins.isaapi.com/v3/prequalify \
  -H "Authorization: Bearer $ISA_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "applicant": {
      "sex": "male", "dob": "1962-04-18",
      "height_inches": 70, "weight_lbs": 195
    },
    "coverage": { "face_amount_cents": 2500000, "state": "NC" },
    "products": ["prod_c8f21a4b-9e3d-4b5c-a1e2-f3d4e5f6a7b8"]
  }' | jq '.request_id'

A request_id in the response confirms the new token is valid and your deployment picked it up.

Step 4 — Revoke the old token (optional)

The old token expires automatically after 24 hours. If the exposure was a security incident, revoke it immediately:

Open dashboard.isaapi.com → API Keys → Revoke next to the old key.

Revocation is instant. Any in-flight requests using the old token will receive 401 invalid_token. Ensure your deployment has fully cut over before revoking early.

Step 5 — Audit the exposure (if applicable)

If you are rotating because of an exposure:

1. Check your API usage in the dashboard — look for unexpected request volumes, unfamiliar IPs, or calls to endpoints your service does not use.
2. File a ticket at [email protected] with the request_id values of any suspicious calls. Include the approximate exposure window.
3. Review how the token leaked — CI logs, environment dumps, error reporting tools — and close the vector before rotating again.

See also

• Authentication guide — bearer token rotation, test vs. live
• Test mode — test tokens follow the same rotation flow
• Support — escalation path for security incidents