---
title: Rotating an API gateway credential
description: For security reasons, you should rotate an API gateway's credential on a regular basis.
component: pingone
page_id: pingone:authorization_using_pingone_authorize:p1az_rotating_gateway_credential
canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_rotating_gateway_credential.html
revdate: June 27, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Rotating an API gateway credential

For security reasons, you should rotate an API gateway's credential on a regular basis.

## About this task

|   |                                                                       |
| - | --------------------------------------------------------------------- |
|   | If the credential might have been compromised, change it immediately. |

An API gateway credential is a safeguard against requests from an unauthorized API gateway integration kit. After you create a credential and copy it to your Ping Identity [integration kit](p1az_api_gateway_is.html), the credential is included in authorization requests made from the API Gateway to the HTTP Access Policy service. If the credential is absent or no longer valid, the HTTP Access Policy service automatically rejects the client API request.

You can use the PingOne Authorize console to create a new credential for an existing API gateway. This enables you to retrieve the credential without having to make an API call. After you create a new credential in PingOne Authorize, you must update all API gateway integration kits that use the credential. Retain the previous credential to give API gateway owners time to make updates without causing errors for users.

## Steps

1. In PingOne, go to **Authorization → API Gateways**.

2. Click the API gateway with the credential that you want to rotate to open its details panel.

3. On the details panel, click the **[icon: plus, set=fa]**icon next to **Credentials**, copy the credential and save it somewhere convenient, and then click **Done**.

   ![Screen capture of a successful credential creation, with the Copy to clipboard button highlighted](_images/qwg1706118925603.png)

   |   |                                                                                                                                                                                            |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | The HTTP Access Policy service will accept both the old and new credentials. To prevent downtime, do not revoke the active gateway credential until after you update the integration kits. |

4. Update each integration kit with the newly created gateway credential.

   Learn more about configuring your specific integration kit in [API Gateway integrations](p1az_api_gateway_is.html).

5. In the details panel of your API gateway, click the **Delete** icon next to the old gateway credential, and then click **Revoke**.

   ![Screen capture of the Revoke Credential window being displayed](_images/ylz1706119190726.png)