Step-by-Step Guide
5 steps

How to Rotate API Keys

API key rotation is essential after a potential compromise, when team members leave, or as a regular security practice. Rotating incorrectly can cause downtime. This guide covers how to rotate keys safely with zero downtime.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Generate a new key at the provider

Create a new API key while keeping the old one active.

Code Example
# Generate new keys at each provider:
# OpenAI: platform.openai.com/api-keys
# Stripe: dashboard.stripe.com/apikeys
# Supabase: app.supabase.com/project/_/settings/api
# AWS: IAM > Users > Security credentials

Most providers allow multiple active keys simultaneously. Generate the new key before revoking the old one.

2

Update the key in all environments

Replace the old key with the new one in every place it is used.

Code Example
# Update in hosting platform:
# Vercel: Settings > Environment Variables
# Netlify: Site settings > Environment variables
# Railway: Service > Variables
# Render: Service > Environment

# Update local development:
# Edit .env.local with the new key value
3

Deploy and verify

Deploy the updated configuration and verify the application works with the new key.

Code Example
# Test the new key works
curl https://api.openai.com/v1/models \
  -H "Authorization: Bearer NEW_KEY_HERE"

# Deploy the application
# Verify functionality in staging first
# Then deploy to production
4

Revoke the old key

After confirming the new key works in production, deactivate the old key.

Code Example
# Revoke at each provider:
# OpenAI: Delete the old key in API keys settings
# Stripe: Roll the key or delete the old one
# Supabase: Regenerate keys in project settings

Wait at least 15 minutes after deploying before revoking the old key to ensure all instances are using the new one.

5

Set up a rotation schedule

Create calendar reminders to rotate keys regularly.

Code Example
# Recommended rotation schedule:
# After any potential compromise: Immediately
# After team member departure: Within 24 hours
# Regular rotation: Every 90 days
# Highly sensitive keys: Every 30 days

What You'll Achieve

API keys are rotated with zero downtime using a generate-update-verify-revoke process. A regular rotation schedule prevents stale credentials.

Common Mistakes to Avoid

Mistake

Revoking the old key before deploying the new one

Fix

Always generate and deploy the new key first, verify it works, then revoke the old key. This prevents downtime.

Mistake

Forgetting to update all environments

Fix

Check production, staging, CI/CD, local development, and any third-party integrations that use the key.

Frequently Asked Questions

How often should I rotate API keys?

Every 90 days for standard keys, every 30 days for highly sensitive keys, and immediately after any potential compromise or team member departure.

Can I automate key rotation?

Some providers support automated rotation (AWS Secrets Manager, HashiCorp Vault). For manual rotation, set calendar reminders and document the process.

Related Guides

Secure Environment VariablesSecurity Audit ChecklistFix Lovable API Key ExposureFix Bolt.new API Key Exposure

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan