About six months ago I rotated my OpenAI API key for the first time. Not because anything was wrong. Because a security blog said I should, and I felt guilty.
I did it the manual way: generated a new key in the OpenAI dashboard, then went hunting through every project I'd built that used the old key. Find the .env file. Update it. Restart the app. Repeat for every project. By the third project I'd lost track of which ones I'd updated. By the fifth I realized I was about to leave one production app stranded because I didn't remember it existed.
The actual cost of manual rotation
It took me about three hours. I had eight projects using OpenAI. Two of them I almost broke. One of them I did break for half an hour because I rolled the key, restarted the app, but missed an environment variable in a Docker container.
Free tier — 250 calls/month, no card required.
Three hours, partial outage, anxiety the whole time. After that experience I just… didn't rotate again. For five months. Which is the worst possible outcome — the security advice was right, and the friction made me ignore it.
Why rotation matters
Keys leak. Not always dramatically — sometimes a key ends up in a git commit that gets pushed to a public repo before you realize, sometimes you copy-paste it into a Slack message to a contractor, sometimes a third-party service you used a year ago gets breached and your key was in their database.
The countermeasure isn't preventing every leak (you can't). It's rotating regularly enough that any leaked key is already invalid by the time someone tries to use it. 90 days is a reasonable cadence for most setups. Faster if you're paranoid. Never is what most people actually do.
What changes with a vault
The reason I never rotated again was the friction. The reason I rotate every 90 days now is that the friction went away.
With IBYOK (or any decent BYOK vault), the key lives in one place. My eight projects fetch the key from the vault at runtime instead of holding their own copy. When I rotate, I rotate at the vault. The next time each project asks for the key, it gets the new one. No project-by-project hunting. No restart cascade. No anxiety.
The first rotation took five minutes. Every subsequent one takes two.
The mental model shift
The mental model that helps: stop thinking of API keys as "configuration" and start thinking of them as "credentials." Configuration goes in a .env file. Credentials live in a vault and get fetched on demand.
Once that switch happens, rotation stops being a project. It's a button. The 90-day cadence becomes realistic. The leaked-key risk drops accordingly.
I should have done this years ago. I should have done it before the first rotation, not after. If you're still in the "manual rotation" world, the lesson is: don't wait for the day you need to rotate to set up a vault. Set it up now, while nothing's wrong.
— Jeff
Free tier — 250 calls/month, no card required.