Chapter D · 4 of 4~10 min

Secrets rotation lab

**Revoke, rotate, audit** — leaked API keys are incidents, not cleanup tasks.

Reviewed July 2026 · interactive lab

Paths & resources for this lesson

1Try it yourself

Playground

Secrets rotation lab

Revoke leaked keys, rotate on schedule, audit access.

API key found in a public gist

2Read & reflect

Recap

#What you just did

You chose revoke vs scheduled rotate vs audit for three secret lifecycle events.

Teach

#Pattern

# Dual-key rotation window
1. Issue key_v2 in secrets manager
2. Deploy apps reading key_v2 (both keys valid)
3. Revoke key_v1 after traffic confirms v2
4. Log every read in audit trail

Never paste production keys into Slack, tickets, or lesson repos.

Use it

#When you'd use this

  • Quarterly credential rotation policies
  • Incident response after a leak
  • SOC2 / enterprise customer security reviews

Watch out

#Watch out

Rotating without a dual-key window causes downtime — stage new secrets before revoking old ones.

Try next

#Try this next

List every service that holds your LLM API key and how you would rotate in 15 minutes.

3Spark check

Continue learning · glossary & guides