Rotate and Manage API Keys

API Key Overview

LightYear API keys grant programmatic access to your account. Treat them like passwords — never share them or commit them to version control.

Creating an API Key

1. Go to Account → API Keys → Create API Key.
2. Give it a descriptive label, e.g. terraform-prod.
3. Copy the key immediately — it is only shown once.

Key Permissions

All API keys have full account access. Granular permissions (read-only, resource-specific) are on the roadmap.

Storing Keys Securely

Environment Variables

$export LIGHTYEAR_API_KEY="your-key-here"

GitHub Actions Secrets

env:
  LIGHTYEAR_API_KEY: ${{ secrets.LIGHTYEAR_API_KEY }}

HashiCorp Vault

$vault kv put secret/lightyear api_key="your-key-here"

Rotating a Key

1. Create a new API key.
2. Update all systems using the old key.
3. Verify the new key works.
4. Delete the old key.

Rotate keys every 90 days or immediately after a suspected compromise.

Revoking a Compromised Key

1. Go to Account → API Keys.
2. Click Delete next to the compromised key.
3. The key is invalidated immediately.

Detecting Unauthorised Use

Monitor your API key usage in Account → Audit Log. Look for:

• Unexpected server deployments
• API calls from unknown IP addresses
• Unusual hours of activity