Back to Recipes
Developer Tools

Automated API Key Rotation & Secret Management

Automatically rotate API keys and secrets on schedule with zero-downtime updates across services and encrypted storage.

Advanced
20 minutes
Published Jan 29, 2024

Automated API Key Rotation

Rotate keys automatically without downtime. Security best practices on autopilot.

What You'll Build

A secret rotation system that:

  • Rotates API keys on a schedule (weekly, monthly, or custom)
  • Updates environment variables across all services
  • Maintains backward compatibility during transition
  • Logs all rotations with audit trail

Requirements

  • Plugins: Vercel, Render (for env var updates)
  • Time: 20 minutes

Setup

1. Define Rotation Schedule

Rotate these secrets: - OpenAI API key: every 30 days - Database password: every 90 days - Stripe API key: every 60 days - GitHub token: every 180 days Alert me 7 days before rotation.

2. Configure Services to Update

After generating new key: 1. Update env var on Vercel (all projects) 2. Update env var on Render (all services) 3. Update in password manager 4. Redeploy services 5. Verify new key works 6. Revoke old key after 24h grace period

3. Set Up Dual-Key Period

Rotation strategy: - Day 0: Generate new key, keep old key active - Day 0-1: Both keys work (grace period) - Day 1: Revoke old key, only new key works This ensures zero downtime.

4. Create Audit Log

Log every rotation: - Timestamp - Service/key rotated - Old key (last 4 chars) - New key (last 4 chars) - Who triggered (auto or manual) - Status (success/failed) Export to CSV monthly for compliance.

Sample Rotation

7 Days Before:

⚠️ Upcoming Key Rotation Service: OpenAI API Current key: sk-...x7K2 (expires in 7 days) Next rotation: Feb 18, 2024 Action required: None (auto-rotation enabled) Reply SKIP to postpone by 30 days.

Day of Rotation:

🔄 Key Rotation Started Service: OpenAI API Old key: sk-...x7K2 New key: sk-...j9M1 Progress: ✅ New key generated ✅ Added to Vercel env vars ✅ Added to Render env vars ⏳ Redeploying services (2/4)...

After Completion:

✅ Key Rotation Complete Service: OpenAI API New key: sk-...j9M1 All services updated: 4/4 🕐 Grace period: 24 hours Old key (sk-...x7K2) will be revoked tomorrow. [View audit log →]

24 Hours Later:

🗑️ Old Key Revoked Service: OpenAI API Revoked key: sk-...x7K2 All services confirmed working with new key. Rotation complete. Next rotation: Mar 20, 2024.

Pro Tips

  1. Test First: Rotate in staging environment before production
  2. Alerting: If any service fails health check after rotation, auto-rollback
  3. Compliance: Generate SOC 2 compliance reports from audit logs
  4. Emergency Rotation: Trigger immediate rotation if key is leaked

Secure your infrastructure → Launch Claws

Ready to try this recipe?

Deploy your Claws agent and start automating in under 2 minutes.

Get Started with Claws

Share this recipe

Recipe Details

Difficulty
Advanced
Time to Setup
20 minutes
Plugins Used
VercelRender
Tags
#security#secrets#DevOps#automation

Related Recipes

Developer Tools

Auto-Deploy to Vercel on Git Push

Trigger Vercel deployments automatically when you push to specific branches, with deployment notifications and rollback capability.

Beginner
5 minutes
Developer Tools

Monitor Render Services with Health Checks

Keep tabs on all your Render services with automated health checks, uptime monitoring, and instant alerts for failures.

Beginner
5 minutes
Developer Tools

Automated DNS Updates via Namecheap

Manage domain DNS records through Telegram commands with instant propagation tracking and automated SSL certificate renewal.

Intermediate
10 minutes