Every rotation guide on Google starts with "set up AWS Secrets Manager." Most teams don't have that. They have five keys, a deploy pipeline, and a 90-day cadence to keep. Here's how to rotate manually without any of the enterprise tooling.
The actual rotation work is provider-side and deploy-side. The provider generates a new key. You deploy it as an env var. You verify the new key is in use. You revoke the old one. None of that requires automation, and most modern providers support a transition window where both keys are valid.
What a vault gives you is removing the human from the deploy/verify loop, which matters when you have 50 keys to rotate. For 5 keys, it adds infrastructure to maintain. For 15, it might break even. The threshold where automation actually saves time is higher than most teams assume.
Do this once for each key, every 90 days. Total time is about 20 to 30 minutes per key for most third-party APIs.
The same workflow, with the quirks each platform brings.
Stripe has a built-in "Rotate key" action with a configurable expiration on the old key. Set the expiration to 24 hours and you get a clean transition window without any custom work.
Multiple keys per organization or project. Create the new key, deploy it, then revoke the old one. Tip: set a per-key monthly budget so a future leak has a ceiling.
Named API keys with per-key permissions. Create a parallel key, swap env vars, then delete the old key. Watch for keys hardcoded in old marketing email templates.
Each IAM user can have two active access keys. Create the second, deploy it, deactivate (don't delete) the first, monitor for failures, then delete after the transition.
Personal access tokens used for CI, automation, or git operations. Fine-grained tokens preferred. Create a new token with the same scope, update all consumers, revoke the old.
Each service account can hold up to 10 keys. Generate a new JSON key, deploy, wait for the transition, then disable and delete the old one. Avoid using user-bound credentials for production.
A spreadsheet beats no tracker. The minimum columns to keep, one row per key:
Sort by "next due" ascending. The top row is what you rotate next. If you want to stagger the load, intentionally pick rotation dates so you're doing one or two per month instead of all of them in one panic week.
A spreadsheet alone doesn't rotate keys. You need something that interrupts you on the date. A calendar event gets dismissed. An email that follows up until you click "done" is the system that survives a busy quarter.
See the main API key rotation reminder page, check how often you should rotate, or read the rotation checklist.
Set a 90-day reminder for your next rotation. No account. Just the email that gets you to actually do it.
Done in seconds. No sign-up required.
Yes. The actual rotation work is the same with or without a vault: generate a new key, deploy it to your environment, verify traffic moved, revoke the old one. A vault automates the deploy and verify steps. Without one, you do those by hand. The work is small. The hard part is remembering on the 90-day cadence.
A list of every key you own, the rotation procedure for each provider, environment variables (not hardcoded keys), and a reliable reminder system. That's it. No Vault, no Secrets Manager, no automation pipeline.
For small teams with a handful of third-party API keys, yes. Manual rotation done on cadence is significantly better than automated rotation that was never set up. The point of automation is to scale rotation to dozens or hundreds of keys without proportional human time. If you have five keys, manual is fine.
A spreadsheet, a Notion table, or a shared doc. One row per key with: service, key ID (last 4 chars), last rotation date, next rotation date, owner. Sort by next rotation date. Set a single reminder per key on its next rotation date.
Stripe (native transition with overlap window), Twilio (multiple active keys), SendGrid (named API keys you can swap), Google Cloud (multiple service account keys), OpenAI (multiple keys per organization), GitHub (multiple personal access tokens). Most providers have caught up. Older ones with single-key models force a brief outage during rotation.
When the number of keys, services, or environments makes the manual workflow take more than an hour per cycle. For most solo devs and teams under ten people, that point is years away. For teams with shared infrastructure across many services, build the automation when the work justifies it.
Free 90-day reminder. No account. The follow-up emails are the difference between a tracker and a system.
Create API Key Rotation ReminderLast modified: