> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budecosystem.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotating Keys

> Run safe key rotation for provider and project credentials

## Why Rotate Keys

Rotate keys to reduce credential exposure risk, enforce compliance windows, and limit blast radius from accidental leakage.

```mermaid theme={null}
flowchart LR
    A[Identify Key] --> B[Create Replacement]
    B --> C[Update Consumers]
    C --> D[Validate Traffic]
    D --> E[Revoke Old Key]
```

## Rotation Playbook

### 1. Inventory

* Identify provider credentials or project keys to rotate.
* Record where each key is used (projects, deployments, automation).

### 2. Create Replacement Credential

* For provider keys: add a new credential in **Provider** tab.
* For project keys: create a replacement key in **Projects** with proper expiry and budget.

### 3. Cut Over Consumers

* Update affected applications/services to use the replacement key.
* Verify requests succeed with the new credential.

### 4. Revoke Old Credential

* Delete previous key only after confirmation that all consumers moved.
* Use delete confirmation dialogs as a final guardrail.

## Suggested Rotation Cadence

| Key Type             | Recommended cadence                         |
| -------------------- | ------------------------------------------- |
| Provider credentials | Every 60–90 days (or provider policy)       |
| Project keys         | 30- or 60-day expiry aligned to team policy |

## Verification Checklist

<Check>New key has been validated in a real request path.</Check>
<Check>No active workloads still depend on old key.</Check>
<Check>Old key is revoked after successful cutover.</Check>
<Check>Owner and timestamp are captured in internal audit notes.</Check>
