API keys are a legitimate and sometimes necessary alternative to human logins. They also become stale, get checked into Git, and end up on Stack Overflow. Treat them as secrets with an expiry, not one-shot configuration.

Scope keys narrowly

An API key should do one thing for one system. “Admin” API keys are a liability — if they leak, your remediation options are limited to “rotate and hope.” Scoped keys limit the blast radius and make key purpose self-documenting.

Rotation cadence

CI/CD pipelines: 90 days.
Production back-ends: 180 days.
Everything with access to sensitive findings: 90 days, and on every personnel change with knowledge of the key.

After a leak

Rotate the key first, investigate second. A leaked key in a public GitHub repo is usually scraped by bots within minutes; by the time you've finished scoping the blast radius, it may already have been used. Speed beats thoroughness for rotation itself; thoroughness matters for the post-incident review.

Audit logs

Every API key action is logged with the key ID (but not the secret). Use audit logs to verify a key is actually in use before rotating — and to confirm a rotation actually took effect (old key stops appearing, new key starts).