Wireguard Identity Rotation

[john walker]

I'm looking for a nice way to rotate keypairs with Wireguard. How much time
do you have to update the initiator and responder with new keypairs before
handshakes fail?

If I understood the whitepaper correctly, sessions aren't immediately invalid
when you change a peers identity. Instead, you have up to 5 minutes to update
both sides, or else the session keys are exhausted. Is this correct?

Thanks,
John