Why Rotate Keys
Rotate keys to reduce credential exposure risk, enforce compliance windows, and limit blast radius from accidental leakage.Rotation Playbook
1. Inventory
- Identify provider credentials or project keys to rotate.
- Record where each key is used (projects, deployments, automation).
2. Create Replacement Credential
- For provider keys: add a new credential in Provider tab.
- For project keys: create a replacement key in Projects with proper expiry and budget.
3. Cut Over Consumers
- Update affected applications/services to use the replacement key.
- Verify requests succeed with the new credential.
4. Revoke Old Credential
- Delete previous key only after confirmation that all consumers moved.
- Use delete confirmation dialogs as a final guardrail.
Suggested Rotation Cadence
| Key Type | Recommended cadence |
|---|---|
| Provider credentials | Every 60–90 days (or provider policy) |
| Project keys | 30- or 60-day expiry aligned to team policy |
Verification Checklist
New key has been validated in a real request path.
No active workloads still depend on old key.
Old key is revoked after successful cutover.
Owner and timestamp are captured in internal audit notes.