Secret Rotation

Automated rotation reduces the risk of long-lived credential leakage by periodically changing secret values without manual intervention.

How it Works

CustomKeys orchestrates the rotation lifecycle:

  1. Trigger: Based on a schedule (e.g., every 30 days) or a manual trigger.
  2. Generation: CustomKeys calls a backend (Webhook, DB, or Cloud) to generate a new value.
  3. Validation: The new value is verified before being committed.
  4. Broadcast: Stale client caches are invalidated in real-time via WebSockets.

Supported Backends

1. Webhooks

Integrate with any custom internal service. CustomKeys sends an authenticated POST request to your endpoint; you return the new secret value.

{
  "key": "STRIPE_API_KEY",
  "old_value": "sk_test_...",
  "environment": "production"
}

2. Database (Full Managed)

Directly rotate credentials in your database. CustomKeys currently supports:

  • PostgreSQL: Rotates a user's password directly on the server.
  • MySQL: Native support for credential cycling.
  • Redis: Automated AUTH password rotation.

Configuration

Rotation is configured on a per-secret basis.

  • Interval: 1 to 720 hours (up to 30 days).
  • History: CustomKeys tracks the last 20 rotation events for auditing.

[!IMPORTANT] To use Automatic Rotation, your application should use the Official SDKs to ensure it receives rotation event broadcasts without needing a restart.

Last updated: 4/20/2026Report Issue