docs: add tutorial on rotating Kosli API keys

[mintlify]

Adds a new tutorial walking users through zero-downtime rotation of Kosli service account API keys.

Changes

• New page: tutorials/rotating_api_keys.mdx — covers how rotation works (grace period), rotating via the Kosli web app, rotating via the API (with curl examples), rolling the new key out, verifying the old key is decommissioned, and recommended cadence.
• config/navigation.json — adds the new tutorial under the existing Tutorials → Security group.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
kosli	🟢 Ready	View Preview	May 18, 2026, 5:40 AM

[claude]

Claude finished @vidhu-balad's task in 2m 17s —— View job

---

Review of PR #229 — Rotating API keys tutorial

• Read CLAUDE.md and doc-review skill
• Read changed files and gather context
• Check navigation config for new page
• Verify links and content conventions
• Post review findings

---

Overall assessment

Good tutorial — well-structured, correct Diátaxis classification (tutorial), clear writing in active voice, and all required conventions followed. The cross-link from service-accounts.md is a nice touch.

Checklist

Check	Status
New page in config/navigation.json	✅ Added under Tutorials → Security
Frontmatter (title + description)	✅ Present
Root-relative links (no ../)	✅ All links are root-relative
Internal file links resolve	✅ /getting_started/service-accounts, /helm/k8s_reporter, /getting_started/install#assigning-flags-via-config-files all verified
API reference links	✅ Confirmed working in preview by @vidhu-balad
Writing style (active voice, "Kosli" not "the Kosli platform")	✅

Findings

No critical issues. Three suggestions posted as inline comments:

1. Suggestion (rotating_api_keys.mdx:30-36): Use <Steps>/<Step> for the web app rotation procedure — matches CLAUDE.md's recommendation and other tutorials' patterns.
2. Suggestion (rotating_api_keys.mdx:108): The ## Related section is unique to this tutorial — consider a <CardGroup> or removing it since the links are already inline in the body.
3. Suggestion (rotating_api_keys.mdx:8-10): The <Tip> about hashing is nearly identical to one on service-accounts.md — consider removing the duplicate.

[claude]

Minor: other tutorials in this site (e.g. unauthorized_iac_changes.md) open directly with the intro text after frontmatter, without an ## Introduction heading. Dropping it would be more consistent with the rest of the site.

[claude]

The API reference links (this one and the ones in the ## Related section) point to paths generated from the OpenAPI spec. Worth verifying these resolve correctly in the preview deployment before merging — there are no local files backing them.

[vidhu-balad]

All the reference links resolve as expected.

[claude]

Suggestion: Most tutorials in this site (e.g. unauthorized_iac_changes.md, attest_snyk.md, report_aws_envs.md) open directly with intro text after frontmatter — no ## Introduction heading. Only organizing_with_spaces.mdx also uses one. Dropping it would be more consistent with the majority pattern.

Suggested change

## Introduction

[claude]

Improvement: Both "shared organization" and "service account" link to the same anchor (/getting_started/service-accounts#service-accounts). The link text "shared organization" is misleading — that anchor covers the Service Accounts heading, not shared orgs specifically. Consider simplifying the prerequisite:

Suggested change

	- A Kosli shared organization with at least one [service account](/getting_started/service-accounts#service-accounts) and an existing API key.
	- A Kosli shared organization with at least one [service account](/getting_started/service-accounts#service-accounts) and an existing API key.

[claude]

Suggestion: CLAUDE.md lists <Steps> / <Step> as the recommended component for sequential procedures. This numbered list would be a good candidate for that component, matching how other tutorials present step-by-step workflows.

[claude]

Improvement: The API reference links (/api-reference/service-accounts/...) are generated from the OpenAPI spec and can't be verified locally. Worth confirming they resolve in the preview deployment before merging.

[claude]

Improvement: This sequential procedure is a good candidate for the <Steps>/<Step> component, which is used for similar workflows in other tutorials (e.g., report_cloud_run_envs.md, linking_trails_across_branches.md) and recommended in CLAUDE.md for sequential procedures.

Suggested change

	1. Log in to Kosli and select the organization that owns the service account.
	2. Go to **Settings** → **Service accounts** in the left navigation.
	3. Open the service account whose key you want to rotate.
	4. Find the key in the **API Keys** list and click **Regenerate**.
	5. Choose a grace period for the old key, then confirm.
	6. Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
	<Steps>
	<Step>
	Log in to Kosli and select the organization that owns the service account.
	</Step>
	<Step>
	Go to **Settings** → **Service accounts** in the left navigation.
	</Step>
	<Step>
	Open the service account whose key you want to rotate.
	</Step>
	<Step>
	Find the key in the **API Keys** list and click **Regenerate**.
	</Step>
	<Step>
	Choose a grace period for the old key, then confirm.
	</Step>
	<Step>
	Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
	</Step>
	</Steps>

[claude]

Suggestion: The "Rotate a key from the Kosli web app" procedure (lines 30-36) is a sequential numbered list — a good candidate for the <Steps>/<Step> component, which CLAUDE.md recommends for sequential procedures and other tutorials use (report_cloud_run_envs.md, linking_trails_across_branches.md).

Suggested change

	1. Log in to Kosli and select the organization that owns the service account.
	2. Go to **Settings** → **Service accounts** in the left navigation.
	3. Open the service account whose key you want to rotate.
	4. Find the key in the **API Keys** list and click **Regenerate**.
	5. Choose a grace period for the old key, then confirm.
	6. Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
	<Steps>
	<Step>
	Log in to Kosli and select the organization that owns the service account.
	</Step>
	<Step>
	Go to **Settings** → **Service accounts** in the left navigation.
	</Step>
	<Step>
	Open the service account whose key you want to rotate.
	</Step>
	<Step>
	Find the key in the **API Keys** list and click **Regenerate**.
	</Step>
	<Step>
	Choose a grace period for the old key, then confirm.
	</Step>
	<Step>
	Copy the new key value immediately and store it in your secrets manager — it will not be shown again.
	</Step>
	</Steps>

[claude]

Suggestion: No other tutorial in the site has a ## Related section. The links are useful, but for consistency you could move them into a <Card>/<CardGroup> at the bottom (matching the navigational card pattern used elsewhere), or simply drop the section since the API reference links are already inline in the body.

[claude]

Suggestion: The tip on lines 8-10 is nearly identical to the one already on /getting_started/service-accounts (line 31-33). Since the tutorial already links to that page, consider removing it here to avoid maintaining the same statement in two places. If you want to keep a reminder, a shorter inline note ("Remember, the key is shown only once") might be lighter.