You need a new token on an existing virtual key. The key row, spend cap, and per-month accrued spend stay; only the token bytes change.
When to rotate
- A token leaked into a public repo or log file.
- Scheduled periodic rotation per your team's policy.
- A teammate left and you want to invalidate their copies.
Run the rotate command
From an Agent terminal:
crabglamp keys regenerate
There is no key-id argument — the command always acts on this Agent's one key. The old token is invalidated at the proxy within seconds, the new token is written into the Agent's OpenClaw config, and the gateway restarts so the new credential takes effect.
Update anything that used the old token
Because the CLI updates the Agent's OpenClaw config automatically, agent sessions keep working. If you exported the key into your own shell config or code, replace those copies with the new token — for example in ~/.bashrc:
sed -i 's/cg-pk-[A-Za-z0-9]*/cg-pk-NEW.../g' ~/.bashrc
source ~/.bashrc
What is preserved
- The key's id stays the same.
- Spend-cap value stays the same.
- Accrued spend for the current month stays the same.
- Usage history is unaffected.
- Billing rolls forward unchanged.
What is invalidated
- The old token. Subsequent requests with it return HTTP 401 from the proxy.
- Any process that exported the old token needs the new one.