Rotate secret key

Rotates the keyset's secret key. Supports two rotation modes depending on whether an expiration time is provided:

Rotation with Overlap (paid plan required): When expiresAt is provided:

The current permanent secret key is assigned the specified expiration time
A new permanent (non-expiring) secret key becomes the current key and is returned in the response
You may replace the previous secret key with the new one without downtime.

Requirements:

Requires a paid plan
Maximum 5 rotated secret keys per keyset
Expiration must be at least 60 seconds in the future
Expiration must be at most 366 days in the future

Immediate Rotation: When expiresAt is NOT provided:

The current secret key is immediately replaced with a new randomly generated secret key
The old secret key becomes invalid
There is no overlap period. We recommend you use this in development and testing environments

Path Parameters
`keysetId` string — REQUIRED a string to be decoded into a number

Header Parameters
`PubNub-Version` string — REQUIRED Possible values: [`2025-11-01`]

Request Body — REQUIRED
`expiresAt` date-time Possible values: Value must match regular expression `^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?Z$` Timestamp in ISO 8601 UTC format. Must end with "Z" to indicate UTC timezone.

Responses

201

Success

Schema — OPTIONAL
`secretKey` string The newly generated non-expiring secret key for the keyset

400

Bad Request Error

Schema — OPTIONAL
`statusCode` number
`error` string Possible values: [`BadRequest`]
`message` string[]

401

UnauthorizedError

Schema — OPTIONAL
`statusCode` number
`error` string Possible values: [`Unauthorized`]
`message` string[]

403

ForbiddenError

Schema — OPTIONAL
undefined

404

NotFoundError

Schema — OPTIONAL
`statusCode` number
`error` string Possible values: [`NotFound`]
`message` string[]

500

InternalErrorError

Schema — OPTIONAL
`statusCode` number
`error` string Possible values: [`InternalError`]
`message` string[]

* required

PubNub-Version*

Type: string

Possible values: [2025-11-01]

* required

keysetId*

Type: string

expiresAt

Type: string

Timestamp in ISO 8601 UTC format. Must end with "Z" to indicate UTC timezone.

Pattern: ^\d{4}-\d{2}-\d{2}T\...Format: date-time

secretKey

Type: string

The newly generated non-expiring secret key for the keyset

Example Response

{
  "secretKey": "sec-c-abcd123"
}

statusCode

Type: number

error

Type: string

Enum (1 values)

View all values

"BadRequest"

message

Type: array

Array items:

items

Type: string

statusCode

Type: number

error

Type: string

Enum (1 values)

View all values

"Unauthorized"

message

Type: array

Array items:

items

Type: string

statusCode

Type: number

error

Type: string

Enum (1 values)

View all values

"NotFound"

message

Type: array

Array items:

items

Type: string

statusCode

Type: number

error

Type: string

Enum (1 values)

View all values

"InternalError"

message

Type: array

Array items:

items

Type: string

Header Parameters

Path Parameters

Request Body

Responses