IsoKron

Rotating your BYOK key

Last updated

Vendor keys should be rotated periodically and immediately whenever you suspect leakage. We support an add-then-remove flow that avoids any window where we have no key on file for your workspace.

Routine rotation

  1. Generate a fresh key in your vendor's console. Save it in your password manager; we will not display it after save.
  2. Open Settings → Keys and click Add key. Paste the new key. We will validate it with a one-token test call.
  3. Set the new key as Default.
  4. Delete the old key (shown as …<last 4> · Active (previous)).

What happens to compilations already in flight

A compilation already running uses the key that was attached when the run started. There is no mid-run swap. New runs kicked off after you mark the new key as Default will use the new key.

What we never do

  • We never display the full text of any saved key (last 4 characters only).
  • We never silently fall back from your old key to a different customer's key, or from your key to our operator credentials.
  • We never silently fall back from operator credentials (used for the Layer 4 critic that runs immediately before commit) to your BYOK. The two paths share no code.

If you suspect the old key was leaked

Email security@isokron.ai immediately. We will:

  • Confirm the new key is valid and set as Default.
  • Hard-delete the old key from our vault.
  • Help you review your audit log for any anomalous activity that may have used the old key.
  • Walk you through revoking the old key in the vendor's console (which is the action that actually stops the leaked key from being used by a third party).

Keeping multiple vendors

You can have keys from more than one vendor on file (Anthropic + OpenAI, for example). The Default flag determines which vendor a new compilation uses by default; per-project defaults are on our roadmap.

If validation fails for a key you are sure is valid

Confirm there are no leading or trailing spaces in the paste. If the issue persists across multiple workspaces or multiple vendors, it is more likely a platform-side problem than your key — check our status page or email support.

Paired with the SR-ROTATE-001 customer-support flow.

← All docs