bhatti user rotate-key
bhatti user rotate-key server only
Section titled “bhatti user rotate-key ”Rotate a user’s API key.
Synopsis
Section titled “Synopsis”sudo bhatti user rotate-key <name>
Description
Section titled “Description”Generates a new API key, stores its SHA-256 hash, and prints the plaintext once. The previous key is invalidated server-side immediately — any in-flight requests using the old key fail with 401.
Use this when:
- A key may have leaked.
- A user has lost their key (the original is unrecoverable).
- You have a key-rotation policy.
The user’s existing sandboxes, secrets, volumes, snapshots, and images are all preserved — only the auth token changes.
Records a user.key_rotated event in the audit log.
Examples
Section titled “Examples”sudo bhatti user rotate-key aliceAPI key rotated for "alice" New key: bht_xyz789...
The old key is immediately invalidated.This key will not be shown again. Save it now.After rotation, give the user the new key. They run bhatti setup to update their config.
Options
Section titled “Options”This command takes only global flags. See Global flags for --url, --token, --json, --timing, --data-dir.
See also
Section titled “See also”bhatti user createbhatti setup— what the user runs to install the new key