How to Rotate API Keys - Emergency Response Guide

January 2026How-To Guides
Share
How-To Guide

Emergency Response

How to Rotate API Keys

Emergency guide for when your keys are compromised

TL;DR

TL;DR: Generate a new key immediately, update it in your hosting platform's environment variables, deploy, then revoke the old key. Don't try to remove it from git history first. Speed matters more than cleanup when credentials are exposed.

Time is Critical

Every minute a compromised key stays active is a minute an attacker can use it. API abuse can rack up thousands in charges within hours. Follow these steps immediately.

Quick Action Checklist

  1. Generate new key in service dashboard (2 minutes)
  2. Update environment variable in hosting platform (2 minutes)
  3. Trigger a redeploy (1-5 minutes)
  4. Revoke/delete the old key (1 minute)
  5. Check logs for unauthorized usage (after securing)

Step-by-Step Guide

1

Generate a new API key

Go to the affected service's dashboard and create a new key. Most services let you have multiple active keys, so you can create the new one before revoking the old one.

Do not delete the old key yet. Your production app is still using it.

2

Update your production environment

Update the environment variable in your hosting platform:

  • Vercel: Project Settings → Environment Variables → Edit → Save
  • Netlify: Site Settings → Environment Variables → Edit → Save
  • Railway: Service → Variables → Update value

Also update your local .env.local file with the new key.

3

Redeploy your application

Most platforms pick up environment variable changes on the next deploy:

# Vercel - trigger redeploy
vercel --prod

# Or push an empty commit
git commit --allow-empty -m "Rotate API keys"
git push

Some platforms (like Railway) apply changes automatically without redeploying.

4

Verify the new key is working

Test your production site to confirm the new key is active:

  • Make a request that uses the API key
  • Check your application logs for errors
  • Verify the feature works as expected
5

Revoke the compromised key

Only after confirming production works, delete or disable the old key in the service dashboard. The compromised key should no longer work anywhere.

6

Check for unauthorized usage

Review the service's logs or usage dashboard for suspicious activity:

  • Unusual API call volume
  • Requests from unknown IP addresses
  • Unexpected charges or usage patterns

Service-Specific Instructions

Stripe

  1. Go to Developers → API Keys
  2. Click "Create secret key" (you can name it for tracking)
  3. Update STRIPE_SECRET_KEY in your hosting platform
  4. Redeploy
  5. Click "..." next to old key → "Roll key" or delete it

Check Dashboard → Logs for any unauthorized transactions.

OpenAI

  1. Go to platform.openai.com → API Keys
  2. Click "Create new secret key"
  3. Update OPENAI_API_KEY in your hosting platform
  4. Redeploy
  5. Delete the old key

Check Usage page for unexpected API calls. Consider setting a usage limit.

Supabase

  1. Go to Project Settings → API
  2. For anon/service_role keys: You'll need to regenerate via "Generate new keys"
  3. Update both SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY
  4. Redeploy all services using these keys

Note: Regenerating Supabase keys affects ALL keys at once.

Firebase

  1. Go to Project Settings → Service Accounts
  2. Click "Generate new private key"
  3. Update the JSON credentials in your hosting platform
  4. Redeploy
  5. There's no way to revoke old service account keys in Firebase; consider creating a new service account

After the Emergency

Once your keys are rotated and secured:

  1. Investigate how the leak happened - Check git history, review recent commits
  2. Set up preventive measures - Enable GitHub secret scanning, add pre-commit hooks
  3. Document the incident - Note the timeline and any impact for future reference
  4. Review other keys - If one key leaked, others might have too

Should I try to remove the key from git history?

Not as your first step. Once a key hits a public repo, assume it's been scraped within minutes. Rotate the key first, then worry about cleaning history if needed. Cleaning history is complicated and time-consuming.

How long does it take for attackers to find exposed keys?

Automated scanners monitor GitHub in real-time. Studies show compromised AWS keys get used within 5 minutes of being pushed. Act immediately.

What if I can't redeploy right away?

If you have access to the service dashboard but can't redeploy, you may need to temporarily disable the API key and accept downtime. A few minutes of downtime is better than hours of unauthorized access.

Related guides:How to Hide API Keys · How to Check for Exposed Keys · How to Enable Secret Scanning

How-To Guides

How to Rotate API Keys - Emergency Response Guide