How to Rotate API Keys Safely

What this problem means

You need to rotate an API key—maybe it was leaked, or it's time for a routine rotation. But your app uses the key. Rotating without a plan can cause downtime or failed requests.

Why this matters

- Security: Leaked keys must be rotated immediately.

- Compliance: SOC2 and others expect key rotation.

- Downtime: Rotating without a plan can break your app.

Real-world example

A startup discovered their API key was in a public repo. They revoked it immediately—and their production app went down. They had to scramble to create a new key and deploy. A safe rotation process would have created the new key first, deployed, then revoked the old one.

How to fix it

1. Create new key: Generate a new key in your provider's dashboard. Don't revoke the old one yet.

2. Update config: Add the new key to your config or secrets manager. Support both old and new during transition.

3. Deploy: Deploy the new config. Verify the app works with the new key.

4. Revoke old key: Once the new key is live, revoke the old one.

5. Remove old key: Remove the old key from config and redeploy.

Tools and configurations

- Secrets Manager: Store keys. Update the secret; apps fetch at startup or on interval.

- Environment variables: Update in your deployment config. Redeploy.

- Dual-key support: Some providers let you have two keys—create new, delete old after cutover.

Common mistakes

- Revoking the old key before the new one is live.

- No verification—assuming the new key works.

- Not removing the old key from config (leaves it in git history).

Quick checklist

- [ ] Create new key (don't revoke old yet)

- [ ] Update config with new key

- [ ] Deploy and verify

- [ ] Revoke old key

- [ ] Remove old key from config