feat: v2 reroll key endpoint (#3785)

* feat: initial reroll struct

* add basic test

* test and fix ratelimit and add reroll event

* cleanup file

* docs changes

* docs changes

* docs changes

* change auditlog

* Update go/pkg/db/custom_types.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* rabbit fixes

* rabbit fixes

* run in parallel

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: Flo4604

apps/dashboard/lib/trpc/routers/audit/llm-search/utils.ts

@@ -215,7 +215,7 @@ ${validEventTypes.map((event) => `   - ${event}`).join("\n")}
    - workspace.create, workspace.update, workspace.delete, workspace.opt_in
    - gateway.create, llmGateway.create, llmGateway.delete
    - api.create, api.update, api.delete
-   - key.create, key.update, key.delete
+   - key.create, key.update, key.delete, key.reroll
    - ratelimitNamespace.create, ratelimitNamespace.update, ratelimitNamespace.delete
    - vercelIntegration.create, vercelIntegration.update, vercelIntegration.delete
    - vercelBinding.create, vercelBinding.update, vercelBinding.delete

go/apps/api/integration/harness.go

@@ -87,7 +87,7 @@ func New(t *testing.T, config Config) *Harness {
 		ctx:           ctx,
 		cancel:        cancel,
 		instanceAddrs: []string{},
-		Seed:          seed.New(t, db),
+		Seed:          seed.New(t, db, nil),
 		dbDSN:         mysqlHostDSN,
 		DB:            db,
 		CH:            ch,

go/apps/api/openapi/gen.go

@@ -926,6 +926,57 @@ components:
                     "$ref": "#/components/schemas/Meta"
                 data:
                     "$ref": "#/components/schemas/V2KeysRemoveRolesResponseData"
+        V2KeysRerollKeyRequestBody:
+            type: object
+            required:
+                - keyId
+                - expiration
+            properties:
+                keyId:
+                    type: string
+                    minLength: 3
+                    maxLength: 255
+                    pattern: "^[a-zA-Z0-9_]+$"
+                    description: |
+                        The database identifier of the key to reroll.
+
+                        This is the unique ID returned when creating or listing keys, NOT the actual API key token.
+                        You can find this ID in:
+                        - The response from `keys.createKey`
+                        - Key verification responses
+                        - The Unkey dashboard
+                        - API key listing endpoints
+                    example: key_2cGKbMxRyIzhCxo1Idjz8q
+                expiration:
+                    type: integer
+                    format: int64
+                    minimum: 0
+                    maximum: 4102444800000
+                    description: |
+                        Duration in milliseconds until the ORIGINAL key is revoked, starting from now.
+
+                        This parameter controls the overlap period for key rotation:
+                        - Set to `0` to revoke the original key immediately
+                        - Positive values keep the original key active for the specified duration
+                        - Allows graceful migration by giving users time to update their credentials
+
+                        Common overlap periods:
+                        - Immediate revocation: 0
+                        - 1 hour grace period: 3600000
+                        - 24 hours grace period: 86400000
+                        - 7 days grace period: 604800000
+                        - 30 days grace period: 2592000000
+                    example: 86400000
+        V2KeysRerollKeyResponseBody:
+            type: object
+            required:
+                - meta
+                - data
+            properties:
+                meta:
+                    "$ref": "#/components/schemas/Meta"
+                data:
+                    "$ref": "#/components/schemas/V2KeysRerollKeyResponseData"
         V2KeysSetPermissionsRequestBody:
             type: object
             required:
@@ -2476,6 +2527,43 @@ components:
                 - Changes take effect immediately for new verifications but cached sessions may retain old permissions briefly
             items:
                 "$ref": "#/components/schemas/Role"
+        V2KeysRerollKeyResponseData:
+            type: object
+            properties:
+                keyId:
+                    type: string
+                    description: |
+                        The unique identifier for the newly created key.
+
+                        This is NOT the actual API key token, but a reference ID for management operations.
+                        Store this ID to:
+                        - Update or revoke the key later
+                        - Track the key in your database
+                        - Display in admin dashboards (safe to log)
+
+                        Note: This is a new ID - the original key retains its own ID.
+                    example: key_2cGKbMxRyIzhCxo1Idjz8q
+                key:
+                    type: string
+                    description: |
+                        The newly generated API key token (the actual secret that authenticates requests).
+
+                        **SECURITY CRITICAL:**
+                        - This is the only time you'll receive the complete key
+                        - Unkey stores only a hashed version (unless the original key was created with `recoverable=true`)
+                        - Never log, store, or expose this value in your systems
+                        - Transmit directly to the end user via secure channels only
+                        - If lost and not recoverable, you must reroll or create a new key
+
+                        The key format follows: `[prefix]_[random_bytes]`
+                        - Prefix is extracted from the original key or uses API default
+                        - Random bytes follow API configuration (default: 16 bytes)
+
+                        This is NOT the keyId - it's the actual secret token used for authentication.
+                    example: prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT
+            required:
+                - keyId
+                - key
         V2KeysSetPermissionsResponseData:
             type: array
             description: |-
@@ -4323,6 +4411,91 @@ paths:
             tags:
                 - keys
             x-speakeasy-name-override: removeRoles
+    /v2/keys.rerollKey:
+        post:
+            description: |
+                Generate a new API key while preserving the configuration from an existing key.
+
+                This operation creates a fresh key with a new token while maintaining all settings from the original key:
+                - Permissions and roles
+                - Custom metadata
+                - Rate limit configurations
+                - Identity associations
+                - Remaining credits
+                - Recovery settings
+
+                **Key Generation:**
+                - The system attempts to extract the prefix from the original key
+                - If prefix extraction fails, the default API prefix is used
+                - Key length follows the API's default byte configuration (or 16 bytes if not specified)
+
+                **Original Key Handling:**
+                - The original key will be revoked after the duration specified in `expiration`
+                - Set `expiration` to 0 to revoke immediately
+                - This allows for graceful key rotation with an overlap period
+
+                Common use cases include:
+                - Rotating keys for security compliance
+                - Issuing replacement keys for compromised credentials
+                - Creating backup keys with identical permissions
+
+                **Important:** Analytics and usage metrics are tracked at both the key level AND identity level. If the original key has an identity, the new key will inherit it, allowing you to track usage across both individual keys and the overall identity.
+
+                **Required Permissions**
+
+                 Your root key must have:
+                 - `api.*.create_key` or `api.<api_id>.create_key`
+                 - `api.*.encrypt_key` or `api.<api_id>.encrypt_key` (only when the original key is recoverable)
+            operationId: rerollKey
+            requestBody:
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/V2KeysRerollKeyRequestBody'
+                required: true
+            responses:
+                "200":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/V2KeysRerollKeyResponseBody'
+                    description: Key rerolled successfully.
+                "400":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/BadRequestErrorResponse'
+                    description: Bad request
+                "401":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/UnauthorizedErrorResponse'
+                    description: Unauthorized
+                "403":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/ForbiddenErrorResponse'
+                    description: Forbidden
+                "404":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/NotFoundErrorResponse'
+                    description: Not found
+                "500":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/InternalServerErrorResponse'
+                    description: Internal server error
+            security:
+                - rootKey: []
+            summary: Reroll Key
+            tags:
+                - keys
+            x-speakeasy-name-override: rerollKey
     /v2/keys.setPermissions:
         post:
             description: |

go/apps/api/openapi/openapi-generated.yaml

@@ -154,6 +154,8 @@ paths:
 
   /v2/keys.createKey:
     $ref: "./spec/paths/v2/keys/createKey/index.yaml"
+  /v2/keys.rerollKey:
+    $ref: "./spec/paths/v2/keys/rerollKey/index.yaml"
   /v2/keys.updateKey:
     $ref: "./spec/paths/v2/keys/updateKey/index.yaml"
   /v2/keys.updateCredits:

go/apps/api/openapi/openapi-split.yaml

@@ -0,0 +1,40 @@
+type: object
+required:
+  - keyId
+  - expiration
+properties:
+  keyId:
+    type: string
+    minLength: 3
+    maxLength: 255
+    pattern: "^[a-zA-Z0-9_]+$"
+    description: |
+      The database identifier of the key to reroll.
+
+      This is the unique ID returned when creating or listing keys, NOT the actual API key token.
+      You can find this ID in:
+      - The response from `keys.createKey`
+      - Key verification responses
+      - The Unkey dashboard
+      - API key listing endpoints
+    example: key_2cGKbMxRyIzhCxo1Idjz8q
+  expiration:
+    type: integer
+    format: int64
+    minimum: 0
+    maximum: 4102444800000
+    description: |
+      Duration in milliseconds until the ORIGINAL key is revoked, starting from now.
+
+      This parameter controls the overlap period for key rotation:
+      - Set to `0` to revoke the original key immediately
+      - Positive values keep the original key active for the specified duration
+      - Allows graceful migration by giving users time to update their credentials
+
+      Common overlap periods:
+      - Immediate revocation: 0
+      - 1 hour grace period: 3600000
+      - 24 hours grace period: 86400000
+      - 7 days grace period: 604800000
+      - 30 days grace period: 2592000000
+    example: 86400000

go/apps/api/openapi/spec/paths/v2/keys/rerollKey/V2KeysRerollKeyRequestBody.yaml

@@ -0,0 +1,19 @@
+type: object
+required:
+  - meta
+  - data
+properties:
+  meta:
+    "$ref": "../../../../common/Meta.yaml"
+  data:
+    "$ref": "./V2KeysRerollKeyResponseData.yaml"
+examples:
+  rerollKey:
+    summary: Key rerolled successfully
+    description: Successfully rerolled a key
+    value:
+      meta:
+        requestId: req_abc123def456
+      data:
+        keyId: key_2cGKbMxRyIzhCxo1Idjz8q
+        key: prod_2cGKbMxRjIzhCxo1IdjH3arELti7Sdyc8w6XYbvtcyuBowPT