> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orbitsearch.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Revoke or delete an Orbit Search API key

> Deactivate an Orbit Search API key from the dashboard when rotating credentials, decommissioning a service, or responding to a suspected exposure.

When you need to retire a key, use the [Orbit developer dashboard](https://developer.orbitsearch.com/dashboard/keys). Revocation takes effect immediately: the key stops authenticating requests as soon as the dashboard action completes.

## Revoke vs. delete

| Action | Best for                                                | Result                                                         |
| ------ | ------------------------------------------------------- | -------------------------------------------------------------- |
| Revoke | Rotation, suspected exposure, production key retirement | The key becomes inactive but remains visible as audit metadata |
| Delete | Permanent cleanup of throwaway or test keys             | The key metadata is removed from your key list                 |

Prefer **revoke** for production keys. It preserves the audit trail, including the safe `display_key`, scopes, creation time, and last-used timestamp.

## Rotation workflow

<Steps>
  <Step title="Issue a replacement key">
    Open **Dashboard** → **API keys**, generate a new key with the same required scopes, and store the raw `sk_orb_...` value in your secrets manager.
  </Step>

  <Step title="Move traffic gradually">
    Update one caller or environment at a time to use the replacement key.
  </Step>

  <Step title="Verify usage">
    Watch the replacement key's last-used timestamp and usage in the dashboard until it reflects live traffic.
  </Step>

  <Step title="Revoke the old key">
    Once no callers use the old key, revoke it from the dashboard.
  </Step>
</Steps>

<Warning>
  Do not delete a production key during rotation unless you are certain you no longer need its metadata. Revoked keys are safer for audits and incident response.
</Warning>

## Public API behavior

Developer API keys cannot revoke, delete, or manage other keys. If a revoked or deleted key is used for search or profile reads, the API returns `403 invalid_api_key`.
