Key Management¶
Settld key handling must preserve both forward security and historical verifiability.
Key classes¶
- Tenant API keys (runtime access)
- Webhook signing/verification secrets
- Signature verification keys used in receipt/evidence validation
Rotation baseline¶
- Rotate with overlap windows.
- Keep previous verification keys for historical receipts.
- Record key IDs and effective windows in audit trail.
- Re-run smoke and verification checks after rotation.
CLI / ops commands¶
Rotate configured keys:
npm run keys:rotate
Run post-rotation health checks:
npm run test:ci:mcp-host-smoke
npm run ops:x402:receipt:sample-check
Never do this¶
- Do not hard-delete keys needed for historical proof verification.
- Do not rotate without a rollback path and ownership.