Rotating API keys every 90 days is the security baseline every framework agrees on. The problem isn't knowing that. It's remembering, on a calendar, three months from now, when you're deep in something else. A scheduled email closes that gap.
Done in seconds. No sign-up required.
Detection is hard. Limiting the damage window is not.
new secrets exposed in public GitHub repositories in a single year
GitGuardian State of Secrets Sprawl 2024
is the rotation interval flagged by the CIS Benchmark (item 1.15) and NIST guidance
CIS Google Cloud Foundations Benchmark
average cost of a data breach involving compromised credentials
IBM Cost of a Data Breach Report 2024
Rotation is one of those tasks that everybody agrees is important and nobody enjoys. It's not urgent on any given day. There's no failure mode that pages you. The key keeps working, services keep responding, and the dashboard doesn't flash red. So it gets pushed to next sprint, then the sprint after that, then it falls off the board entirely.
Teams without a Vault or Secrets Manager rotation policy default to "we'll get to it." Solo developers with five third-party APIs rotate once when they set up the account, and then never again. The CIS Benchmark warning sits in a scanner report nobody reads. Three years pass, and now the Stripe key in your repo has been valid since you were on an older Mac.
The fix is not more tooling. The fix is a calendar event with a follow-up that doesn't give up. Once you've decided 90 days is the right interval, the system you actually need is the one that emails you on day 88 and keeps emailing until you click "done."
You don't need infrastructure to rotate keys reliably. You need a date, a checklist, and something that will tell you when the date arrives even when you've forgotten you set it.
Stripe, OpenAI, SendGrid, Twilio, the database, GitHub personal access tokens. One row per key, one rotation owner per row.
Pick a date, get a notification two days before, on the day, then follow-ups until you mark it done. No app, no account, no infrastructure.
Generate the new key, deploy it, confirm traffic moved over, then revoke the old one. Reset the reminder. Done for 90 days.
Stolen keys don't expire on their own. They expire when you rotate.
An OpenAI or AWS key leaked to a public repo can rack up thousands of dollars in API charges overnight. Provider refunds are not guaranteed.
What can go wrong →A leaked production database or admin API key gives read access to customer records. Most teams don't notice until a researcher emails them.
Breach scenarios →SOC 2, PCI DSS, and ISO 27001 auditors check key rotation. A key untouched for 18 months is a finding that delays your report.
Build a clean process →The details, broken down by what you came here to figure out.
The standard cadence is every 90 days. That number traces back to NIST SP 800-57 and the CIS Benchmark item 1.15, and most cloud providers (Google Cloud, AWS, Azure) recommend the same. High-risk keys (payment processors, production databases) can rotate every 30 days. Low-risk internal keys can stretch to 6 or 12 months.
A key stays valid forever until you revoke it. If it leaked to a public GitHub commit two years ago, a scraper has it and may be using it right now. Rotation limits the window of useful access for any stolen key, capping the blast radius at the rotation interval rather than at "never."
Yes. Plenty of small teams rotate manually: generate a new key in the provider dashboard, deploy it to your environment variables, verify traffic is using the new key, then revoke the old one. The hard part is remembering to do it. A calendar reminder every 90 days solves the only step that can't be automated by tooling you don't have.
Replacing an active API key with a new one on a schedule, and revoking the old one once you're confident nothing depends on it. The point is to ensure no single key stays valid forever, so a key compromised today expires before an attacker finds enough use for it.
Yes. Scheduled rotation assumes you can't detect every leak. Keys end up in commit history, error logs, screenshots in support tickets, contractor laptops, and old deployment scripts you forgot about. Rotation is a baseline assumption-of-compromise control. The CIS Benchmark flags any key not rotated in 90 days as a finding.
Use a transition period. Most providers let two keys exist at once: provision the new key, deploy it to production, wait until logs show the old key is no longer being used (typically a few hours to a day for cached configs and queued jobs), then revoke the old one. See the api key rotation best practices guide for the full sequence.
Free. No account. Takes 30 seconds. You'll get an email two days before the rotation date, on the day, and follow-ups until you mark it done.
Create API Key Rotation ReminderLast modified: