R-KEY-EXPIRY
When to use
Production traffic is blocked because a key expired before rotation
completed. Trigger alerts: key_expired_blocked, repeated
authentication failures for a known production caller. Supporting
signal: /v1/auth/keys/expiring-soon showed the key inside the
operator's alert window and was not acted on.
Identifyโ
Find which key class is affected:
Capture recent auth and admin audit events:
curl -s "https://your-node.example.com/v1/audit/events?limit=200" \
-H "Authorization: Bearer $STIGMEM_ADMIN_KEY" | jq .
Containโ
- Do not extend an expired key by editing the database by hand.
- Keep the failed key material for audit, but stop issuing new tokens with it.
- If admin access is still available, create a replacement key immediately.
- If admin access is unavailable, use your documented break-glass procedure.
Investigateโ
Determine why the rotation was missed:
Alert configured?
Was a key_expiring_soon alert configured?
Backed by query?
Was the alert backed by /v1/auth/keys/expiring-soon or an equivalent database/SIEM query?
Right owner?
Did the alert route to the right owner?
Missing owner
Did the key lack an owner or rotation date?
Peer coordination
Was the rotation procedure blocked by peer coordination?
Recoverโ
For API keys:
- Create a new key with the least required permissions.
- Redeploy the caller with the new secret.
- Revoke the expired key if it remains in storage.
For federation or issuer keys:
- Follow Key Rotation.
- Notify peer operators of the new public key or manifest.
- Ask peers to re-pin if automatic refresh is unavailable.
- Confirm federation pulls resume.
For encryption passphrases:
- Restore the last known-good secret from your secrets manager.
- Bring the node healthy.
- Schedule a controlled rekey rather than improvising during outage.
Communicateโ
After recovery, add or fix the rotation reminder that should have prevented the outage.
Tell affected callers or peers which key expired, when replacement credentials will be available, and whether any data integrity risk exists.