.png&w=640&q=75){kind=small}
Prerequisites:
kubectl access to the cluster
psql access to the LangSmith database
org admin access to LangSmith.
This process must be completed before the existing key expires or is deleted. An expired or deleted deployment key will immediately break the running deployment. We recommend triggering this rotation a few days before expiry rather than relying on automated deletion.
1. Create a new service key
In LangSmith UI: Settings > API Keys > Service > New. Set an expiry matching your rotation policy (e.g. 90 days). Save the key value - it won't be shown again.
2. Get the new key's UUID
curl -H "X-Api-Key: <your-langsmith-api-key>" \
https://<your-langsmith-host>/api/v1/orgs/current/service-keysNote the id field of the new key.
3. Find the deployment's k8s secret name and namespace
SELECT id, name, api_key_id, metadata->>'k8s_namespace' AS namespace
FROM host_projects
WHERE name = '<deployment-name>';Then find the secret in that namespace (the secret name is derived from the deployment name and workspace ID):
kubectl get secrets -n <namespace> | grep <deployment-name-prefix>4. Get the current API key from the secret (optional for rollback)
kubectl get secret <secret-name> -n <namespace> \
-o jsonpath='{.data.LANGCHAIN_API_KEY}' | base64 -d5. Patch the k8s secret with the new key
kubectl patch secret <secret-name> -n <namespace> \
--type='merge' \
-p "{\"data\":{\"LANGCHAIN_API_KEY\":\"$(printf '%s' '<new-api-key>' | base64)\"}}"6. Update the deployment's key reference in the database
UPDATE host_projects
SET api_key_id = '<new-api-key-uuid>'
WHERE id = '<deployment-uuid>';7. Create a new revision
Trigger a redeployment via the LangSmith UI. The reconciler will preserve the patched key value in the k8s secret across the revision.
8. Delete the old key
Once the new revision is running cleanly, delete the old key via LangSmith UI: Settings > API Keys > Service.