Provider Key Rotation

Provider key rotation replaces the upstream credential a model uses without changing the caller-facing API key or model alias.

In AISIX Cloud, rotate a provider credential by creating a replacement provider key, updating the model to reference it, and confirming live traffic before removing the old key. Callers keep using the same caller API key and model name.

Rotate a Provider Key

To rotate an upstream credential, create a replacement provider key, update the model to reference it, and wait for projection to reach the managed gateway. Send a live request through the managed gateway endpoint before removing or disabling the old provider key.

The caller does not need a new caller API key. The application also does not need to change the model alias if the model resource keeps the same name.

What changes is the provider key reference AISIX uses when it sends the request upstream. The existing provider key can stay in place until live traffic confirms the replacement path.

Verify Rotation

After rotation, confirm the model references the replacement provider key, the update reached the managed gateway, and a live request through the managed gateway endpoint succeeds. Use logs or usage events to confirm live traffic uses the updated path, then remove the old credential only after live traffic is confirmed.

If Cloud shows the new provider key but live traffic still uses old behavior, check projection timing and the model's provider-key reference before assuming the new credential is invalid.

If live traffic fails after rotation, check the new upstream credential, provider-specific authentication behavior, and model reference. If the provider key is valid but the gateway has not received the update, verify resource projection.

Next Steps

You have now seen how to rotate a provider credential without changing caller-facing access. Continue with Usage Reporting to understand how managed gateways report live traffic back to AISIX Cloud.