Cookie

Cookie consent

We use some essential cookies to make this website work. We'd like to set additional cookies to help us measure your experience when you view and interact with the website.

Cookie policy
Pricing Log in Start a free trial

Postcoder now supports API key rotation

Customers can now replace their API key on demand, without any involvement from the Postcoder team.

Postcoder now supports API key rotation
Product Daniel Cooper Published on 12 Jun 2026

Keeping your Postcoder integration secure means keeping control of your API key. That's why we've added API key rotation to the Postcoder admin area - letting you replace your current key with a new one whenever you need to, entirely on your own schedule.

The most common reason to rotate an API key is accidental exposure. It happens to even the most careful dev teams: a key gets committed to a public source code repo, shared in a Slack message or left in a config file that ends up somewhere it shouldn't. When that happens, the faster you can replace the key, the better. Previously, doing so required coordinating with the Postcoder team - potentially across time zones - to swap both ends of the connection at the same time. Now you can handle it yourself, immediately.

How API key rotation works

When you trigger a rotation from the API keys page in the Postcoder admin area, a new API key is generated alongside your existing one. Both keys remain active during a transition window, giving you time to update your code, redeploy your application or coordinate across your team without any interruption to your service.

You choose when your old API key expires. If you need a few hours, take a few hours. If you need longer, you can set the window accordingly. You can also expire the old key immediately if you want to cut it off straight away - for example, if you know a key has been compromised and want to act fast.

Throughout the process, your Postcoder dashboard will always show the active key prominently, to ensure anyone new to the account picks up the right one from the start.

Reminders and safeguards

To help you stay on top of a rotation in progress, everyone listed in your account's alerts will receive an email warning when two hours remain before the old API key expires. That gives any final checks or code deployments enough time to complete before the old key stops working.

If you change your mind partway through - perhaps you triggered a rotation by accident or your team needs more time - you can cancel it from the API key page. If your old key has already expired, you'll be given the same transition window options as when you started, giving you time to revert any code changes.

Why we built this

Incidents involving accidentally exposed API keys are genuinely stressful, and the last thing you need in that moment is to be waiting on a support team to act. We wanted to put you in control so you can respond at your own pace, without the back-and-forth.

The feature is also useful in less urgent situations - for example, as part of a regular security review, when offboarding a team member who had access to your codebase, or when migrating between environments.

Getting started

API key rotation is available now for all Postcoder customers. To get started, log in to your Postcoder account and visit the API keys page.

If you have any questions about the feature or need help with a rotation, the Postcoder support team is always happy to help - just get in touch.