Operations
Key Rotation
Rotate Thoth MCP Proxy fleet credentials with validation and revocation controls.
Use this guide to rotate fleet-scoped keys for Thoth MCP Proxy.
Rotation workflow
- Create a new fleet-scoped key in Thoth -> Build -> API Keys -> Create New API Key.
- In the key modal, set:
Scope=FleetTarget= the fleet ID you are rotatingPermissions= only what the fleet needs (read,write,execute)- If you need to create a new fleet first, set
Regionto the fleet's actual control-plane region (for many CorpSec fleets this isus-east-1; useus-west-2only if that fleet is actually west-managed)
- Copy and securely store the new key immediately (shown once).
- Update Jamf or Intune runtime configuration with the new key reference.
- Force profile refresh for the target smart group.
- Validate endpoint health and check-in continuity.
- Revoke the old key after the validation window.
Endpoint-scoped keys: machine identity guidance
When creating an Endpoint scoped key, use the endpoint's managed/immutable identity as the
primary scope target.
Recommended format:
endpoint_id: lowercase letters/numbers/hyphens, e.g.corpsec-mbp-naomi-nagata-01- optional hostname reference for inventory only, e.g.
mbp-naomi-nagata.local
On macOS, get hostname values with:
On Windows, get hostname values with:
Proxy identity resolution order is:
- Managed override (
THOTH_INTUNE_DEVICE_ID/INTUNE_DEVICE_ID/THOTH_JAMF_COMPUTER_ID/JAMF_COMPUTER_ID) - OS machine identity
- Hostname fallback
If key context and runtime identity differ, enforcer currently allows execution for valid keys and emits warning logs. Treat those warnings as drift signals and realign endpoint identity mappings.
Optional API equivalent (same control-plane contract):
Optional authorization check before broad rollout:
Emergency revocation
- Add compromised key IDs to
THOTH_REVOKED_API_KEY_IDS_FILE. - Push updated profile and force endpoint check-in.
- Validate revocation status.
Expected posture fields:
api_key.key_idapi_key.expiredapi_key.rotation_requiredapi_key.revoked
Required controls
- Define the rotation window before rollout.
- Keep blast radius bounded to fleet scope.
- Prepare rollback configuration before key cutover.
- Capture timestamped evidence of key update and revocation.