Best Practices of API Token Rotation

What is a complete key rotation?

Token rotation of stored credentials includes removing any keys created on the original source application, creating a new token on the source application  and ends in updating your stored token on the CircleCI application.



      Remember to visit the application where the token was created and delete the original token!


As an example, if your team stores a Honeycomb API Key, and due to any announced recommendations to rotate these keys, such as the security alert for CircleCI on January 4, 2023, or simply planned key rotation schedules that your team agrees on, the Honeycomb API Key will need to be removed by visiting the Honeycomb application and the settings. 



1. Create a new API token at the source.

2. Update the token within the existing context and/or project environment variables on the CircleCI application. Our recommendation is to update these via the CircleCI V2 API for continuous pipeline access to the variable. Deleting and recreating the token name on the UI is also an option.


3. Delete the old API token at the source.


Note: Regarding the sequence of these steps, please be aware that deleting the old API token after the update risks human error of only completing steps 1 & 2.  Please ensure all three steps are completed. Pros to the above sequence: the pipeline will have continuous access to the referenced token. Deleting the API token immediately after creating the new API token may help in that the pipeline utilizing the API token will break. Cons: this sequence results in downtime if deleting the old API token at the source beforehand.


Additional Resources

You can find more information in our documentation below:






Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.