Skip to content

Rotate key

Destructive: rotates your Log10x API key. The previous key is invalidated immediately on the server, on every machine and tool that uses it. On success, the tool writes the new key to ~/.log10x/credentials, updates process.env.LOG10X_API_KEY for this process, and reloads envs in-place so the next tool call uses the new key seamlessly.

Other devices holding the old key start getting 401 on the next request and need to be updated manually (or rotated again from there). The MCP host config files (e.g., claude_desktop_config.json) are not edited — the result message tells you to update those so the rotation sticks across host restarts.

Confirm-string guarded: pass the literal string rotate-now to proceed. This prevents accidental rotation as a chained side effect of another flow.

Example

You

rotate my key

Log10x

Confirm rotation:

rotate_api_key(confirm="rotate-now")

This invalidates the previous key everywhere. You'll need to update other devices and MCP host configs that hold the old key.

Prerequisites

Signed in. Demo accounts cannot rotate (backend returns 403, surfaced cleanly).

Schema and samples

Input example

Real call against the demo env (captured by scripts/capture-tool-envelopes.mjs).

{
  "confirm": "rotate-now"
}
Input schema

Agent-facing JSON Schema (the canonical shape the MCP server publishes via tools/list):

{
  "type": "object",
  "properties": {
    "confirm": {
      "type": "string",
      "const": "rotate-now",
      "description": "Pass the literal string `rotate-now` to confirm rotation. This is a typo-prevention guard. Rotation invalidates the previous key immediately on every machine and tool that uses it — only proceed when the user has explicitly asked for rotation, not as a chained side effect of another flow. **Always ask the user to confirm before calling this tool.**"
    }
  },
  "required": [
    "confirm"
  ],
  "additionalProperties": false
}

Source: src/tools/rotate-api-key.ts.

Output example

Real envelope from the demo env. view: "summary" returns the full StructuredOutput with typed data. Long arrays + base64 PNG bodies trimmed for readability; the real call returns them in full.

Headline (the 1-line agent-facing answer):

API key rotated for alice@acme.example — previous key invalidated, new key persisted to ~/.log10x/credentials.

{
  "schema_version": "1.0",
  "schema_epoch": "2026-05-25",
  "tool": "log10x_rotate_api_key",
  "view": "summary",
  "summary": {
    "headline": "API key rotated for alice@acme.example — previous key invalidated, new key persisted to ~/.log10x/credentials."
  },
  "data": {
    "ok": true,
    "username": "alice@acme.example",
    "new_api_key": "<new-uuid>",
    "credentials_path": "~/.log10x/credentials",
    "env_var_cleared": true,
    "host_config_edit_needed": true
  },
  "warnings": [
    "rotation invalidates the previous key on every machine; update other MCP hosts, scripts, and CI secrets"
  ],
  "generated_at": "2026-05-26T00:00:00.000Z"
}
Output schema

The data block inside the StructuredOutput envelope:

interface ToolData {
  ok: boolean;
  username: string;
  new_api_key: string;
  credentials_path: string;
  env_var_cleared: boolean;
  host_config_edit_needed: boolean;
}

Envelope-level fields the agent should also read: summary.headline (1-line answer), actions[] (next-call chain hints as {tool, args, reason}), truncated: boolean, images[] (PNG attachments where applicable), schema_epoch (engine-ID stability boundary).

Next: Install