IAM & Access
Rotate and Revoke Credentials
Safely replace or disable API-key and service-account credentials.
Rotate credentials when onboarding new environments, changing operators, or responding to potential exposure.
Current Infuse IoT token limitation: Rotating an IAM API-key credential under Access > API Keys does not rotate the legacy organisation-level admin token used by current Infuse IoT API flows. Manage that token from
/admin/developer.API-Key Credentials
API-key credential rotation is a replace-and-revoke flow:
- Issue a replacement credential.
- Deploy the replacement to the integration.
- Confirm the integration is using the new credential.
- Revoke the old credential.
Issue and revoke API-key credentials from Access > API Keys.
Revoking a credential disables that credential only. Other active credentials on the same principal continue to work.
Service-Account Secrets
Service-account secrets are API-managed. The IAM API supports secret rotation:
POST /iam/principals/{principalId}/service-account-secrets/rotate
The rotation request can optionally revoke the previous secret.
You can also revoke a specific service-account secret:
DELETE /iam/principals/{principalId}/service-account-secrets/{secretId}
When to Revoke Immediately
Revoke a credential immediately when:
- it may have been exposed,
- it was committed to a repository,
- the integration no longer uses it,
- an operator or environment that had access is decommissioned,
- the credential was created for testing and is no longer needed.
After revocation, calls using that credential will fail authentication.