← all posts
how-to · from the raid

How to Rotate API Keys Without Breaking Production

Rotate API keys in 4 steps without downtime: mint a scoped replacement, validate it, swap it into .env.local and Infisical, then revoke the old key.

Shai Snir
rotate api keysapi key managementscoped credentialszero downtimeopen source

Ringtail minting a fresh scoped key and swapping it into production before revoking the old one, with no downtime

Rocco swapped the lock while nobody was looking. The door never stopped working.

Rocco, the Ringtail bandit raccoon

🦝 Rocco: new key in, tested, then the old one goes. never the other way around.

To rotate API keys without breaking production, mint a fresh scoped key, validate it works, swap it into .env.local and Infisical for the target environment, and only then revoke the old one. Ringtail Keys automates all four steps from your .env.example, value-free — because it knows which scoped key maps to which variable per environment, it never leaves prod pointing at a dead token.

Why do key rotations break production?

Rotations break production when the old key is revoked before the new one is live everywhere it's used. The classic failure: someone deletes the old token on the provider's dashboard, assumes the new value is deployed, and a running service that still holds the old key starts 401ing. The gap between "revoked" and "redeployed" is the outage.

The second failure mode is scope drift. The replacement key gets minted with different (often narrower) scopes than the original, so it authenticates but can't do everything the old one did. The call succeeds in one path and fails in another. Both failures come from rotating by hand without a map of which key does what, where.

Rocco, the Ringtail bandit raccoon

🦝 Rocco: everybody revokes first and deploys second. that's the outage, right there.

How do you rotate an API key with zero downtime?

The safe order is always overlap-then-revoke: run both keys briefly, cut over, then retire the old one. Here are the four steps.

Step 1 — Mint a scoped replacement

Create a new key with the same scopes as the one you're replacing, from the provider's official API. Don't revoke anything yet. The old key keeps serving traffic while you prepare the new one. Matching scopes here is what prevents the "authenticates but can't act" failure — see least-privilege API key provisioning for why scope parity matters.

Step 2 — Validate the new key

Confirm the replacement actually works for its intended calls before it touches production config. A key that mints successfully but fails validation is worse than no key — it passes the deploy and fails at runtime. Validation on the spot is the gate.

Step 3 — Swap it into every environment

Write the validated value into .env.local and Infisical for the target environment, and redeploy the services that read it. Because both keys are still valid, there's no window where a service holds a revoked token. Do this per environment so dev, staging, and prod cut over independently.

Step 4 — Revoke the old key

Only after the new key is confirmed live everywhere do you revoke the old one on the provider. Now there's no orphaned service pointing at a dead token, and no over-scoped key lingering as an attack surface.

How does Ringtail rotate keys automatically?

Ringtail knows the map — which scoped key maps to which variable in which environment — because it minted them from your .env.example in the first place. That lets it run the overlap-then-revoke sequence for you.

curl -fsSL ringtail.sh | sh
ringtail up

ringtail up starts the local daemon. Your coding agent triggers a rotation: Ringtail mints a fresh scoped key from the provider's official API, validates it, writes it into .env.local and Infisical for the target env, and retires the old one — all value-free, so the secret never passes through the model. You approve one "allow" per provider the first time; rotations after that are zero-touch.

Manual rotation vs Ringtail

StepManual rotationRingtail Keys
Mint replacementClick through the token pageMinted from official API, scoped
Match scopesRemember and re-check by handSame scopes as the mapped variable
ValidateHope it works; find out in prodValidated on the spot before swap
Swap per environmentCopy-paste into each .envWritten to .env.local + Infisical
Revoke old keyEasy to do too early → outageOnly after new key confirmed live

When should you use Ringtail? (and when not)

Use Ringtail when:

  • You rotate keys on a schedule or after a suspected leak and can't afford a window where prod holds a dead token.
  • You want a coding agent to run rotations without ever seeing the values — see why your agent shouldn't see your API keys.
  • You provisioned the keys from .env.example and want the same map to drive rotation — see .env.example as a manifest.

Don't reach for Ringtail when:

  • You want a hosted vault that stores keys behind a vendor login — Ringtail acquires and rotates, it isn't a storage console.
  • You need an enterprise compliance suite with governance workflows.
  • A provider offers no key-minting API. Ringtail uses official APIs first; where one is missing, it falls back to a guided flow where a human handles the login — never a bot acting with your credentials.

FAQ

How do I rotate an API key without downtime?

Rotate in four steps: mint a fresh key with the same scopes, validate it works, swap it into .env.local and Infisical (and redeploy) for each environment, and only then revoke the old key. The rule is overlap-then-revoke — never revoke the old key before the new one is confirmed live everywhere. Ringtail Keys automates this sequence from your .env.example, value-free.

Why does rotating keys break production?

Rotations break production when the old key is revoked before the new one is deployed to every service that uses it, so a running service suddenly holds a dead token and starts returning 401s. Scope mismatches cause the same class of failure — the new key authenticates but can't do everything the old one did. Both come from rotating by hand without a map of which key is used where.

How often should I rotate API keys?

Rotate on a regular schedule appropriate to the key's sensitivity, and immediately after any suspected exposure — a key committed to git, leaked in a log, or shared in a transcript. The main reason teams under-rotate is that manual rotation risks downtime, so they avoid it. Making rotation safe and automatic removes that excuse; Ringtail Keys runs the overlap-then-revoke sequence for you.

Does Ringtail see my keys during rotation?

No. Ringtail Keys mints, validates, swaps, and revokes keys through each provider's official API, with the secret values written straight into your own .env.local and Infisical. Rotation is value-free — your coding agent orchestrates the sequence while the values never enter the model's context.

Rocco, the Ringtail bandit raccoon
that's the whole thing. want me to mint your keys like this — value-free, one allow per provider? i self-host in one command.