Skip to content

Signing Keys API

Rotate signing secrets without downtime.

See the Signing and verification concept for background.

POST /v1/destinations/{id}/signing-keys/rotate

Generates a new signing secret. During the grace period (default 7 days), Harbor sends both old and new signatures so your customer can roll over.

NameTypeRequiredDescription
grace_period_daysintegernoHow long to double-sign. 0-30. Default 7.

The new signing_secret (shown ONCE) and the rotation timeline.

Terminal window
curl -X POST https://api.harbor.example/v1/destinations/dest_01HXYZ/signing-keys/rotate \
-H "Authorization: Bearer hk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"grace_period_days": 7
}'
  • destination_not_found
  • rotation_in_progress