diff --git a/data/model/service_keys.py b/data/model/service_keys.py
index 601eb4d43..a07526e53 100644
--- a/data/model/service_keys.py
+++ b/data/model/service_keys.py
@@ -25,18 +25,15 @@ def _gc_expired(service):
                             _stale_unapproved_keys_clause(service)).execute()
 
 
-def create_service_key(name, kid, service, jwk, metadata, expiration_date):
-  sk = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
-                         expiration_date=expiration_date)
-
+def _notify_superusers(key):
   notification_metadata = {
-    'name': name,
-    'kid': kid,
-    'service': service,
-    'jwk': jwk,
-    'metadata': metadata,
-    'created_date': sk.created_date,
-    'expiration_date': expiration_date,
+    'name': key.name,
+    'kid': key.kid,
+    'service': key.service,
+    'jwk': key.jwk,
+    'metadata': key.metadata,
+    'created_date': key.created_date,
+    'expiration_date': key.expiration_date,
   }
 
   superusers = User.select().where(User.username << app.config['SUPER_USERS'])
@@ -44,15 +41,21 @@ def create_service_key(name, kid, service, jwk, metadata, expiration_date):
     # TODO(jzelinskie): create notification type in the database migration
     # I already put it in initdb
     create_notification('service_key_submitted', superuser, metadata=notification_metadata,
-                        lookup_path='/service_key_approval/{0}'.format(kid))
+                        lookup_path='/service_key_approval/{0}'.format(key.kid))
 
+
+def create_service_key(name, kid, service, jwk, metadata, expiration_date):
+  key = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
+                          expiration_date=expiration_date)
+
+  _notify_superusers(key)
   _gc_expired(service)
 
 
-def replace_service_key(kid, jwk, metadata, expiration_date):
+def replace_service_key(old_kid, kid, jwk, metadata, expiration_date):
   try:
     with db_transaction():
-      key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
+      key = db_for_update(ServiceKey.select().where(ServiceKey.kid == old_kid)).get()
       metadata = key.metadata.update(metadata)
       ServiceKey.create(name=key.name, kid=kid, service=key.service, jwk=jwk,
                         metadata=metadata, expiration_date=expiration_date, approval=key.approval)
@@ -60,6 +63,8 @@ def replace_service_key(kid, jwk, metadata, expiration_date):
   except ServiceKey.DoesNotExist:
     raise ServiceKeyDoesNotExist
 
+  _notify_superusers(key)
+  delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(old_kid))
   _gc_expired(key.service)
 
 
@@ -84,6 +89,7 @@ def delete_service_key(service, kid):
   except ServiceKey.DoesNotExist:
     raise ServiceKeyDoesNotExist()
 
+  delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
   _gc_expired(service)
 
 
diff --git a/endpoints/key_server.py b/endpoints/key_server.py
index cb4cc0ae2..452b280d0 100644
--- a/endpoints/key_server.py
+++ b/endpoints/key_server.py
@@ -115,7 +115,7 @@ def put_service_keys(service, kid):
   _validate_jwt(encoded_jwt, signer_jwk, service)
 
   try:
-    data.model.service_keys.replace_service_key(kid, jwk, metadata, expiration_date)
+    data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
   except data.model.ServiceKeyDoesNotExist:
     abort(404)