Skip to content

API key expiry: surface/renew without requiring a redeploy #723

Description

@sid88in

Split out from the v2 RFC (#378, item 4).

Context

AppSync API keys have a maximum validity of 365 days. The plugin extends key lifetime on
each redeploy, but if you don't redeploy, keys can silently expire — leading to surprise
loss of connectivity.

Current state (v2)

Key lifetime is controlled via expiresAt / expiresAfter (see doc/API-keys.md). A key
is not renewed unless you change that value and redeploy. There is no notification of
upcoming expiry and no renewal mechanism independent of deployment.

Proposal (options to discuss)

  1. Lightweight: a CLI command (e.g. sls appsync api-keys) that reports keys and their
    expiry, and optionally renews them on demand — no extra deployed resources.
  2. Opt-in automation: a scheduled Lambda that periodically renews keys.

Option 1 is much lower-footprint (no added stack resources) and may cover most of the pain.
Option 2 adds resources and complexity that not everyone wants.

Open questions

  • Is expiry visibility enough, or is hands-off renewal genuinely needed?
  • If automating, opt-in only, and how to scope the renewal Lambda's permissions.

Metadata

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions