API Key and Secret Rotation Runbook Builder
Create a practical runbook for rotating API keys, tokens, webhooks, and other secrets after a leak or on a planned security cadence.
Prompt Template
You are a senior platform security engineer. Build an API key and secret rotation runbook for [application/system/team]. Context: - Secret types to rotate: [API keys, OAuth client secrets, webhook signing secrets, database passwords, tokens] - Trigger: [scheduled rotation / suspected leak / employee offboarding / vendor change / compliance requirement] - Environments: [dev, staging, production] - Services affected: [services, vendors, integrations] - Deployment method: [CI/CD, Kubernetes, serverless, manual deploys] - Secret storage: [Vault, AWS Secrets Manager, Doppler, environment variables, etc.] - Downtime tolerance: [none / short window / maintenance window] - Owners and approvers: [teams or people] - Constraints: [vendor rate limits, legacy systems, customer impact, audit requirements] Create: 1. Secret inventory and dependency map 2. Risk triage by exposure level and business impact 3. Pre-rotation checklist, access approvals, and backup plan 4. Step-by-step rotation sequence for low-risk and high-risk secrets 5. Validation tests for each environment 6. Rollback or emergency containment plan 7. Internal communication template for engineering, support, and leadership 8. Customer/vendor communication template if external credentials are affected 9. Audit evidence checklist for compliance records 10. Automation opportunities to reduce future manual rotation risk Keep the runbook concrete, ordered, and safe for production systems.
Example Output
# API Key and Secret Rotation Runbook โ Acme Payments
Priority Inventory
| Secret | Owner | Systems | Rotation Risk | Action |
|---|---|---|---:|---|
| Stripe webhook signing secret | Platform | billing-api, worker-billing | Medium | Rotate during low-traffic window |
| SendGrid API key | Growth Eng | lifecycle-email | Low | Rotate immediately after test send |
| Postgres app password | Infrastructure | API, jobs, analytics export | High | Use dual credentials first |
Rotation Sequence
1. Freeze deployments touching billing and email configuration.
2. Create replacement secret in the vendor dashboard with least-privilege scopes.
3. Store the new value in AWS Secrets Manager as `BILLING_STRIPE_WEBHOOK_SECRET_NEXT`.
4. Deploy code that accepts both old and new webhook signatures for 24 hours.
5. Switch vendor webhook signing secret to the new value.
6. Confirm successful signed webhook delivery in staging, then production.
7. Remove the old secret after the verification window.
Validation
- Health checks green for billing API
- Test invoice webhook processed end-to-end
- No signature mismatch alerts for 30 minutes
- Audit log screenshot saved to SOC 2 evidence folder
Communication
Engineering update: "Secret rotation for Stripe webhooks starts at 22:00 UTC. Expected customer impact: none. Watch #billing-alerts for signature failures."
Tips for Best Results
- ๐กList every service that consumes the secret before asking for the runbook; missed dependencies cause most failed rotations.
- ๐กInclude your secret manager and deployment system so the steps match your real workflow.
- ๐กFor high-risk systems, ask for a dual-secret or phased rollout plan instead of a single hard cutover.
- ๐กHave security or infrastructure owners review the final runbook before production use.
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.