Emergency

Rotate Compromised Credentials with AI

February 2026

TL;DR

If your API keys were exposed, rotate them immediately. These prompts guide you through generating new keys, updating your codebase, deploying the changes, and revoking the old keys. Speed matters because attackers can find and use exposed keys within minutes.

Time is critical. Exposed credentials can be found and exploited within minutes by automated scanners. Start the rotation process immediately, then use these prompts to ensure you don't miss anything.

Emergency Rotation Checklist

Use this prompt to get a prioritized rotation plan for every exposed credential. Your AI will map out where each key is used, which environments need updating, and the exact steps to rotate without causing downtime.

AI Prompt

Emergency Rotation Plan

I have exposed credentials that need immediate rotation. Help me create an emergency rotation plan.

Exposed credentials: List the types of credentials exposed, e.g., Stripe API key, database password, JWT secret

For each credential, give me:

  1. Where to generate a new key (dashboard URL)
  2. All places in the codebase that reference it
  3. All deployment environments that need updating
  4. Steps to update without causing downtime
  5. How to verify the new key works
  6. How to revoke the old key

Also check:

  • Are there any dependent services that use this key?
  • Are there any webhooks that need updating?
  • Is this key stored in any CI/CD secrets?
  • Could this key have been used to access other resources?

Service-Specific Rotation

Stripe Key Rotation

Paste this prompt to walk through a complete Stripe API key rotation. Your AI will find every reference to your Stripe key, guide you through the Dashboard rolling process, and ensure webhook signing secrets are also updated.

AI Prompt

Rotate Stripe Keys

My Stripe API key was exposed and needs immediate rotation.

Help me:

  1. Find all places in the codebase using the Stripe key
  2. Identify if it's the secret key (sk_) or publishable key (pk_)
  3. Check if webhook signing secrets also need rotation
  4. List all environments (dev, staging, prod) that need updating

Rotation steps:

  1. Go to Stripe Dashboard > Developers > API Keys
  2. Click "Roll key" to generate new key (old key stays active briefly)
  3. Update all environment variables
  4. Deploy to all environments
  5. Test a payment flow
  6. Revoke the old key in Stripe Dashboard

Also check:

  • Connected accounts if using Stripe Connect
  • Webhook endpoints that need new signing secrets
  • Any stored customer payment methods (they should still work)

AWS Credentials Rotation

Use this prompt to safely rotate exposed AWS access keys. Your AI will identify all services using the compromised credentials, generate new keys through IAM, and guide you through a disable-then-delete process with CloudTrail monitoring.

AI Prompt

Rotate AWS Keys

My AWS access keys were exposed. This is critical because AWS keys can access compute and incur massive charges.

Immediate actions:

  1. Go to AWS Console > IAM > Users > Security credentials
  2. Create new access key
  3. Note the secret (shown only once)
  4. DO NOT delete old key yet

Help me:

  1. Find all places using AWS credentials in the codebase
  2. Identify all services that might use these keys (EC2, S3, Lambda, etc.)
  3. Check for hardcoded credentials AND environment variables
  4. Update all deployment platforms

After updating everywhere:

  1. Disable (not delete) the old key first
  2. Monitor for any errors for 24 hours
  3. Then delete the old key

Also check CloudTrail for any suspicious activity while the key was exposed.

Database Credential Rotation

Copy this prompt to rotate a compromised database password with zero downtime. Your AI will locate every connection string, plan a parallel-user migration strategy, and verify all services reconnect successfully.

AI Prompt

Rotate Database Password

My database password was exposed. Help me rotate it safely.

Database type: Supabase/PostgreSQL/MongoDB/MySQL

Steps needed:

  1. Find all connection strings in the codebase
  2. Identify all services connecting to this database
  3. Plan for zero-downtime rotation

For managed databases (Supabase, PlanetScale, etc.):

  1. Create a new database password in the dashboard
  2. Update all environment variables
  3. Deploy all services
  4. Verify connections work
  5. Revoke the old password

For self-managed databases:

  1. Create a new user with the same permissions
  2. Update connection strings to use new user
  3. Deploy and verify
  4. Drop the old user

Check if any of these also need updating:

  • Database migrations
  • Backup scripts
  • Monitoring tools
  • Data pipelines

OpenAI / AI API Key Rotation

Use this prompt to immediately rotate an exposed OpenAI or AI service API key. Your AI will find all usages, verify none are client-side, and help you set up usage limits and alerts to prevent costly abuse.

AI Prompt

Rotate AI Service Keys

My OpenAI (or other AI service) API key was exposed. These keys can rack up costs quickly.

Immediate actions:

  1. Go to OpenAI dashboard > API Keys
  2. Create a new key
  3. Delete the exposed key IMMEDIATELY (no grace period needed)

Help me:

  1. Find all places using the AI API key
  2. Ensure the key is only used server-side
  3. If any client-side usage exists, fix that architecture
  4. Add rate limiting to prevent abuse

Also:

  • Check OpenAI usage dashboard for unexpected charges
  • Set up usage limits and alerts
  • Consider using project-specific keys if available

Post-Rotation Verification

Copy this prompt after rotating your credentials to verify everything is working. Your AI will check all integrations, confirm old keys are revoked, and test critical flows like authentication, payments, and webhooks.

AI Prompt

Verify Rotation Complete

I've rotated my credentials. Help me verify everything is working and secure.

Check:

  1. All API integrations are functioning
  2. No references to old credentials remain in code
  3. Old credentials are revoked/deleted
  4. Git history doesn't need cleaning (for public repos)
  5. No other credentials were exposed alongside this one

Test these flows:

  • Authentication
  • Payment processing (if applicable)
  • Third-party API calls
  • Database connections
  • File storage access

Also verify:

  • CI/CD pipelines can still deploy
  • Monitoring and logging still work
  • Webhooks are still receiving events

Pro tip: After rotation, set a reminder to check your service dashboards in 24-48 hours for any unusual activity that might indicate the old key was used before rotation.

How quickly should I rotate a compromised API key?

Immediately. Automated bots scan for exposed credentials and can exploit them within minutes. The longer you wait, the more potential damage.

Do I need to rotate keys that were only briefly exposed?

Yes. Even brief exposure is enough for automated scanners to capture credentials. Treat any exposed key as compromised and rotate it.

How do I rotate keys without downtime?

Most services allow multiple active keys. Generate a new key, update your application, verify it works, then revoke the old key. This allows zero-downtime rotation.

Related Articles

Fix Exposed API Keys

Prevent future exposure

Set Up Secret Scanning

Detect exposures automatically

Incident Response Checklist

Full incident handling guide

Prevent Future Exposures

Set up continuous scanning to catch exposed credentials before attackers do.

AI Fix Prompts

Rotate Compromised Credentials with AI