---
date: 2026-03-28
title: "Secrets rotation checklist"
---

Rotate these secrets if they were stored in `.env` or otherwise exposed:

- OPENROUTER_API_KEY / OPENAI_API_KEY
- NPM_TOKEN
- DEPLOY SSH keys or passwords (DEPLOY_SSH_KEY, DEPLOY_PASSWORD)
- Any database credentials, API keys, or third-party service tokens

Steps
-----

1. Revoke the current tokens in each provider's dashboard.
2. Create new tokens/keys and store them in the repository secrets (GitHub Settings → Secrets).
3. Update any running services / CI variables to use the new tokens.
4. If you used SSH keys and replaced them, update the authorized_keys on the VPS and remove the old key.

Verification
------------

- Use CI dry-run jobs that check connectivity and token validity.
- Run local commands that use the new tokens.