fix: 1. App keys, 2. Rotate client secret, 3. API key errors page(s) update

[tamalchowdhury]

This PR improves 3 new doc changes. The following pages are updated with better content, instructions, and ai_summary:

• Kinde app keys
• Rotate client secret: Properly documented the retention of old client secret
• Common API key error page

Summary by CodeRabbit

• Documentation
  • Updated client secret rotation guide: clarified immediate deactivation, eligibility list, new rotation workflow, moved “Maintain previous secret” toggle before rotation (paid-plan gated) and adjusted confirmation flow; added guidance and screenshot for maintaining/deleting previous secrets.
  • Simplified app keys guide with streamlined view/copy workflow and expanded FAQs on secrets, PKCE, and secure storage.
  • Expanded API key troubleshooting with refreshed error categories, updated solutions/examples, and a new section on preventing future errors.

[coderabbitai]

Walkthrough

Three documentation pages were updated: client secret rotation now requires immediate deactivation of the old secret and adds a paid "Maintain previous secret" option; the app keys guide was rewritten with FAQs on rotation, PKCE, and secret storage; and the API key troubleshooting guide was expanded with refreshed error categories and new code examples and prevention guidance.

Changes

API Credentials Documentation

Layer / File(s)	Summary
App keys getting started guide src/content/docs/get-started/connect/getting-app-keys.mdx	Frontmatter adds table-of-contents and sidebar label. Intro and "View and copy app keys" steps rewritten. New "App key FAQs" explains client secret rotation eligibility, why front-end apps have no client secret (PKCE), and secure secret storage recommendations.
Client secret rotation guide src/content/docs/build/applications/rotate-client-secret.mdx	Frontmatter refreshed. Eligibility clarified to back-end and M2M only; rotation workflow changed to View details → Details → Admin actions → Rotate; a paid-plan "Maintain previous secret" toggle and upgrade aside were added; new "Maintaining the previous client secret" section requires deleting the previous secret before rotating again and includes a new screenshot.
API key troubleshooting guide src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx	Frontmatter adds table-of-contents and expands topics/keywords. "Common error types" overview rewritten. Solutions updated with new code examples and guidance: Invalid API key (Bearer header checklist), Token expired (client-credentials helper + expiry/refresh logic), Malformed request (headers + URLSearchParams token exchange), Insufficient scope (dashboard steps), Organization access denied (token org validation + API 403 example), Rate limit exceeded (RateLimiter implementation), and Invalid scopes (dashboard checks and common scopes). A "Prevent future API key errors" section was appended.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Pages pruned, then polished with care,
Secrets rotated, shown how to prepare,
FAQs and snippets neatly aligned,
Docs hop forward — clear, swift, and kind. 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title identifies three documentation pages being updated (app keys, rotate client secret, API key errors) and matches the actual changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tamal/update/trending-pages-update

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kinde-docs-preview with    Cloudflare Pages

Latest commit:	db1928b
Status:	✅  Deploy successful!
Preview URL:	https://f8325017.kinde-docs-preview.pages.dev
Branch Preview URL:	https://tamal-update-trending-pages.kinde-docs-preview.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/build/applications/rotate-client-secret.mdx`:
- Line 37: The phrase "Kinde-side application" in the documentation line inside
rotate-client-secret.mdx is awkward and non-standard; replace it with clearer
wording such as "your application in Kinde", "the application configuration in
Kinde", or "the Kinde-hosted application" wherever "Kinde-side application"
appears (e.g., the sentence beginning "To ensure your applications remain
secure...") so the text reads naturally and consistently.

In
`@src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx`:
- Around line 125-136: The token endpoint examples use an incorrect
Authorization header and a single apiKey; update each example (notably the
function getValidToken(apiKey) and the other token-refresh snippets in the
"Token expired" section) to accept clientId and clientSecret parameters instead
of apiKey, remove the Authorization header, and include client_id and
client_secret as URL-encoded form fields in the POST body alongside
grant_type=client_credentials and scope; ensure the Content-Type remains
application/x-www-form-urlencoded and that the body concatenates client_id,
client_secret, grant_type, and scope for the /oauth2/token requests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 18a33706-f95f-4df1-8cf1-ee8e72e9e70e

📥 Commits

Reviewing files that changed from the base of the PR and between b750eb9 and 7086252.

📒 Files selected for processing (3)

• src/content/docs/build/applications/rotate-client-secret.mdx
• src/content/docs/get-started/connect/getting-app-keys.mdx
• src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx

[coderabbitai]

🧹 Nitpick comments (1)

src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx (1)

309-330: ⚡ Quick win

Remove unnecessary async keyword.

The checkLimit method doesn't perform any asynchronous operations or await any promises, so the async keyword is unnecessary and misleading.

♻️ Proposed fix

-  async checkLimit(key) {
+  checkLimit(key) {
     const now = Date.now();
     const windowStart = now - this.window;

And update the usage example at line 338:

-    if (!(await rateLimiter.checkLimit(apiKey))) {
+    if (!rateLimiter.checkLimit(apiKey)) {
       throw new Error("Rate limit exceeded. Please try again later.");
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx`
around lines 309 - 330, The checkLimit method is marked async despite having no
awaits; remove the async keyword from the checkLimit declaration (the method
that accesses this.requests, windowStart, limit and returns a boolean) and
update any example or call sites that use await on checkLimit to call it
synchronously or handle the returned boolean directly so callers no longer
expect a Promise.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx`:
- Around line 309-330: The checkLimit method is marked async despite having no
awaits; remove the async keyword from the checkLimit declaration (the method
that accesses this.requests, windowStart, limit and returns a boolean) and
update any example or call sites that use await on checkLimit to call it
synchronously or handle the returned boolean directly so callers no longer
expect a Promise.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 46b7a2b3-660e-475e-a4e7-cb75016bf343

📥 Commits

Reviewing files that changed from the base of the PR and between 7086252 and db1928b.

📒 Files selected for processing (2)

• src/content/docs/build/applications/rotate-client-secret.mdx
• src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx