Skip to main content

Why Rotate Keys

Rotate keys to reduce credential exposure risk, enforce compliance windows, and limit blast radius from accidental leakage.

Rotation Playbook

1. Inventory

  • Identify provider credentials or project keys to rotate.
  • Record where each key is used (projects, deployments, automation).

2. Create Replacement Credential

  • For provider keys: add a new credential in Provider tab.
  • For project keys: create a replacement key in Projects with proper expiry and budget.

3. Cut Over Consumers

  • Update affected applications/services to use the replacement key.
  • Verify requests succeed with the new credential.

4. Revoke Old Credential

  • Delete previous key only after confirmation that all consumers moved.
  • Use delete confirmation dialogs as a final guardrail.

Suggested Rotation Cadence

Key TypeRecommended cadence
Provider credentialsEvery 60–90 days (or provider policy)
Project keys30- or 60-day expiry aligned to team policy

Verification Checklist

New key has been validated in a real request path.
No active workloads still depend on old key.
Old key is revoked after successful cutover.
Owner and timestamp are captured in internal audit notes.