Skip to content

Credential Rotation Guide — eco|monetize™

Version: 1.0 | Created: 2026-03-22 | Owner: Security.Ops Airtable registry: Operations Intelligence Hub → Credential_Registry 1Password vaults: Development + Production

Rotation Schedule

Cycle Credentials Next Due
90 days Airtable (4), Anthropic (3), OpenRouter (3), OpenAI (1), GitHub (1), Make.com (1), Apollo (1), Supabase token (1), Supabase password (1) 2026-06-20
Never Salesforce Connected App, Google OAuth (2), Supabase anon key, Ollama, SSH key N/A

Vendor Console URLs

Airtable (4 tokens — Regenerate in-place)

  • Console: https://airtable.com/create/tokens
  • Process: Click token name → Regenerate → Copy new value
  • Tokens:
  • airtable-content-portal-read — data.records:read on Operations Intelligence Hub
  • airtable-content-portal-write — data.records:read+write on Operations Intelligence Hub
  • Revenue Acceleration Engine PAT — on Revenue Acceleration Engine base
  • DevOps Platform Costs PAT — on Operations Intelligence Hub

Anthropic (3 keys — Create new + delete old)

  • Console: https://console.anthropic.com/settings/keys
  • Process: Create Key → name it same as old → Copy → Delete old key
  • Keys:
  • content-portal-api-enrichment — content-enrichment.py, portal AI Summary
  • ops-ecomonetize-tools — general ops
  • ESIL Apps Script — Apps Script integration

OpenRouter (3 keys — Create new + delete old)

  • Console: https://openrouter.ai/settings/keys
  • Process: Create Key → name it same → Copy → Delete old
  • Keys:
  • council-key — multi-LLM council reviews
  • ops-ecomonetize-tools — general ops
  • ops-ecomonetize-cost-tools — cost tracking

OpenAI (1 key — Create new + delete old)

  • Console: https://platform.openai.com/api-keys
  • Process: Create new secret key → Copy → Delete old
  • Key: Platform API key

GitHub (1 token — Regenerate in-place)

  • Console: https://github.com/settings/tokens
  • Process: Click token → Regenerate token → Copy
  • Token: Classic PAT for ecomonetize org

Make.com (1 token — Regenerate in-place)

  • Console: https://www.make.com/en/settings/profile → API
  • Process: Regenerate → Copy
  • Token: ops-ecomonetize-tools (Org: ecomonetize)

Apollo.io (1 key — Regenerate in-place)

  • Console: https://app.apollo.io/#/settings/integrations/api
  • Process: Regenerate → Copy
  • Key: ops-ecomonetize-tools (Free plan, 75 credits/month)

Supabase (2 rotatable + 1 permanent)

  • Console: https://supabase.com/dashboard/project/rnjiwfeunznxfivalcws/settings/api
  • Rotatable:
  • Service token: Dashboard → Access Tokens → Regenerate
  • Project password: Dashboard → Database → Database Password → Reset
  • Permanent (cannot rotate):
  • Anon public key — tied to project JWT secret

Salesforce (permanent)

  • Console: https://eri-vendor.develop.my.salesforce.com (vendor org)
  • Console: https://eri-partner.develop.my.salesforce.com (partner org)
  • Note: Consumer Key + Secret are permanent per Connected App. To rotate, create a new Connected App and update all integrations.

Google OAuth (2 — permanent)

  • Console: https://console.cloud.google.com/apis/credentials
  • Note: Client ID + Secret are permanent per OAuth client. To rotate, create new OAuth client, update callback URLs, delete old client.
  • Clients:
  • Google Drive OAuth — Content Factory (Lovable)
  • ERI Platform Auth — Supabase auth callback

Ollama (local — self-managed)

  • Location: Ricks-Mac-Studio.local
  • Note: Local API key, no external rotation needed

SSH Key (permanent)

  • Type: ed25519
  • Location: ~/.ssh/id_ed25519
  • Note: To rotate, generate new key pair and update GitHub/servers

Rotation Procedure

For "Regenerate in-place" vendors (Airtable, GitHub, Make.com, Apollo):

  1. Log into vendor console (URL above)
  2. Find the token → click Regenerate
  3. Copy new value
  4. Update 1Password: op item edit "TOKEN_NAME" --vault="Development" "credential=NEW_VALUE"
  5. Update Credential_Registry in Airtable: set Last Rotated = today, Next Rotation Due = +90 days
  6. Test: op read "op://Development/TOKEN_NAME/credential" — verify new value

For "Create new + delete old" vendors (Anthropic, OpenRouter, OpenAI):

  1. Log into vendor console (URL above)
  2. Create new key with the same name as the old one
  3. Copy new value
  4. Update 1Password: op item edit "TOKEN_NAME" --vault="Development" "credential=NEW_VALUE"
  5. Delete the old key in the vendor console
  6. Update Credential_Registry: set Last Rotated = today
  7. Test: op run --env-file ~/.ecomonetize/scripts/.env.1password -- python3 -c "import os; print(os.environ['KEY_NAME'][:15])"

For permanent credentials (Salesforce, Google, Supabase anon):

  • No rotation needed unless compromised
  • If compromised: create new Connected App / OAuth Client / project, update all references

After Rotation Checklist

  • [ ] All new values saved in 1Password
  • [ ] op read returns correct values for each credential
  • [ ] op-enrich --limit 1 works (tests Airtable + Anthropic)
  • [ ] Content Portal loads data (tests Airtable read)
  • [ ] Credential_Registry updated with Last Rotated + Next Rotation Due dates
  • [ ] Remove any hardcoded credentials from files (grep for old values)

Hardcoded Credentials to Remove

After rotation, search for and remove old credentials from these known locations: 

# Find any remaining hardcoded keys in project files
grep -r "pat[A-Za-z0-9]\{10,\}\." ~/ecomonetize/Project.Manager/ --include="*.md" --include="*.py" --include="*.sh" --include="*.html" -l
grep -r "sk-ant-api" ~/ecomonetize/Project.Manager/ -l
grep -r "sk-or-v1" ~/ecomonetize/Project.Manager/ -l
grep -r "sk-proj-" ~/ecomonetize/Project.Manager/ -l
grep -r "ghp_" ~/ecomonetize/Project.Manager/ -l

All credentials tracked in: Airtable → Operations Intelligence Hub → Credential_Registry (22 records) All secrets stored in: 1Password → Development + Production vaults CLI access: op read "op://VAULT/ITEM_NAME/credential" or source ~/.ecomonetize/scripts/op-env.sh