Rotating API Keys
Replace any connected API key safely, with a zero-downtime procedure and a plan for suspected leaks.
API keys are like keys to a building: occasionally you should change the locks, and if one might have been copied, you should change them immediately. Rotation means creating a new key, switching your product to it, and revoking the old one. This guide gives you the general procedure and the emergency version.
When to rotate
- Immediately, if a key may have been exposed: pasted into a chat or email, committed to a repository, visible in a screenshot or screen share, or if a provider notifies you of suspicious usage.
- When someone leaves: a departing collaborator or contractor who had access to provider dashboards.
- Periodically, as hygiene: every few months for keys guarding paid services is a reasonable cadence.
The zero-downtime order of operations
The rule is simple: create the new key before revoking the old one.
- Create a new key at the provider — platform.openai.com for OpenAI (keys start with sk-), console.anthropic.com for Anthropic (sk-ant-), the Resend dashboard, Render account settings, or Supabase project settings.
- In Idea to Life, go to Settings, then Integrations, open the provider, and replace the stored key with the new one. Saving triggers an update of the corresponding environment variable on your Render service and a restart or redeploy as needed.
- Verify the affected feature works — send a test email, run an AI feature, whatever the key powers.
- Revoke the old key at the provider. Only now, once the new key is confirmed live.
Skipping straight to revocation works too, but your product's dependent features will error during the gap.
Special cases
- Supabase anon key and URL: these are public by design and rotation is rarely security-driven; Supabase's dashboard handles JWT secret rotation if you ever need it, which invalidates user sessions — treat that as a bigger operation.
- SUPABASE_SERVICE_ROLE_KEY and DATABASE_URL: rotate through the Supabase dashboard's settings, then update the stored values here. These are your most sensitive credentials; a suspected leak of either is an emergency.
- GitHub and Render connections: these are revoked and re-authorized rather than rotated — disconnect and reconnect in Settings.
If you suspect an active compromise
- Revoke first, availability second. A leaked key spending your money outranks uptime.
- Check the provider's usage dashboard for unfamiliar activity and set or lower spending limits.
- Create and store a replacement key as above.
- Look at how the leak happened and close that path.
How keys are stored here
Every key you save is encrypted at rest, displayed only in masked form after saving, and never sent to your browser again; decryption happens server-side at the moment of use. Rotation is still your responsibility and your power — the providers' dashboards always remain the ultimate kill switch, in your hands.