API keys are easy to create and hard to retire. A small team may have keys in CI variables, no-code automations, browser extensions, vendor dashboards, serverless functions, spreadsheets, and old contractor laptops. This 2026 checklist was reviewed on June 12, 2026 against CISA, NIST, OWASP, GitHub, Google Cloud, and Microsoft guidance. It is an operational security guide, not a substitute for incident-response, legal, or compliance advice.
Practical decision table
| Inventory field | Why it matters | Rotation trigger |
|---|---|---|
| Owner | Someone can revoke it | Owner leaves or role changes |
| Scope | Limits blast radius | Scope is broader than needed |
| Storage location | Finds hidden copies | Secret appears in logs or repo |
| Last rotated | Prevents stale credentials | Vendor incident or audit gap |
| Break-glass plan | Avoids outage panic | Key powers production workflow |
Inventory the integration, not just the secret
A safe inventory names the product, environment, owner, purpose, scope, storage location, creation date, last rotation, and revocation path. It should not contain the key value. If the only record is “Zapier key” or “old GitHub token,” the team cannot judge risk during an incident.
Prefer scoped tokens and service identities
Where platforms support it, use least-privilege scopes, service accounts, workload identity, short-lived credentials, or environment-specific keys. A personal all-access token used by production automation is a lockout and data-exposure risk. Store why each scope exists so future reviewers do not blindly preserve excessive permissions.
Rotate in a two-key window when possible
The calm pattern is create new key, deploy it to the dependent service, verify traffic, then revoke the old key and document evidence. Emergency rotation after exposure may require faster revocation, but routine rotation should be tested like a deployment so customer workflows do not fail silently.
Search for accidental copies
Check code repositories, CI logs, issue trackers, notebooks, local env files, support tickets, no-code steps, and shared documents for old secrets. Use platform secret scanning where available. If a secret was ever committed or pasted into a ticket, treat deletion as insufficient and rotate it.
Make incident revocation boring
Write a one-page runbook for compromised key scenarios: who can revoke, where to rotate, which jobs to restart, how to confirm success, and which customers or vendors may be affected. Keep the runbook outside the system that might be down during the incident.
Implementation checklist
- Save the official source, account page, receipt, confirmation, or policy text that supports the decision.
- Keep sensitive details out of screenshots when a blank note, redacted PDF, or itemized non-sensitive record is enough.
- Assign an owner and review date so the checklist does not become stale after a provider, rule, trip, or platform change.
- Separate normal workflow evidence from escalation evidence; disputes, audits, incidents, and chargebacks need cleaner timelines.
- Recheck the plan before deadlines, renewals, tax filing, travel departure, major software changes, or account offboarding.
FAQ
Is this guide current for 2026?
It was checked against the listed sources on June 12, 2026. Official rules, platform settings, fees, forms, and support processes can change, so verify before acting.
What is the safest first step?
Build the table and evidence folder before making an irreversible change. A calm record often prevents a rushed dispute, audit panic, lockout, or missed deadline.
When should I get expert help?
Use qualified tax, legal, security, medical, travel, card-issuer, or official support when money, health, identity, access, compliance, or family safety could be affected.