keyrotate — Rotate any API key in one command

Rotate any API key in one command — verified end-to-end.

Open source, MIT-licensed. Built by Steve Kinzey at BotFlow Lab.

Install

npx

npx keyrotate setup

Homebrew

brew tap Prompto-Studio/homebrew-tap && brew install keyrotate

npm -g

npm install -g keyrotate

curl

curl -fsSL https://raw.githubusercontent.com/Prompto-Studio/keyrotate/main/scripts/install.sh | bash

Why it exists

Rotating one API key isn't one step — it's six. The new key has to land in 1Password, in GitHub Actions, in Supabase, in your local .env, and be verified against the upstream provider before the old one is revoked.

Miss one and you've shipped a half-rotated key. The alert path breaks, or the old key stays alive, or your team's vault drifts out of sync. keyrotate does the whole rotation in one command, verifies the new key against the provider before writing anything, and leaves an audit log behind.

One command, four destinations

$ keyrotate rotate resend-alerts

  Provider:     Resend
  Destinations: 1Password, GitHub, Supabase
  Create new at: https://resend.com/api-keys

  ✓ 1Password ready (vault: Private)
  ✓ gh ready, repo Prompto-Studio/Prompto-Bot-Img
  ✓ supabase ready, project lubvpbxxwyy…

  ? Paste the new Resend key (hidden): ****
  ▸ Verifying against Resend…           ✓
  ▸ Writing to 1Password…                ✓
  ▸ Writing to GitHub Actions secret…    ✓
  ▸ Writing to Supabase Edge secret…     ✓
  ▸ Triggering test-alerts workflow…     ✓

  ✓ Rotation complete (3/3 destinations).

Verifies against

ResendOpenAIGoogle Cloud fal.aiElevenLabsStripe NetlifySupabaseHuggingFace PostHogAbuseIPDB+ custom

Writes to

1PasswordBitwardenGitHub Actions Supabase EdgeNetlify env Fly.io secrets.env file

Commands

setup

Interactive guided setup for any project

init

Scaffold a minimal keyrotate.toml

discover

Scan .env / 1Password / Bitwarden for existing keys (read-only)

import

First-time import of an existing key into the vault

add-custom

30-second wizard for any custom API provider

rotate

Interactive rotation — paste a new key

auto-rotate

Zero-prompt rotation (Resend / PostHog)

verify

Verify a single key against its provider

verify-all

Read-only health check of every key

check-rotations

What's due — supports --email via your own Resend key

self-check

doctor + discover + check-rotations in one pass

doctor

Diagnose missing CLIs / auth / destination config

audit

Show the last N rotations (default 20)

github-oauth

OAuth device flow for a GitHub OAuth token

What's new in v00.00.19

Last sprint shipped four versions back-to-back, focused on onboarding and unattended operation.

v00.00.16 — Bitwarden destination, discover scanner across .env / 1Password / Bitwarden, import for first-time onboarding, add-custom 30-second wizard, full server / Docker / Windows install docs.
v00.00.17 — Provider.create() capability and auto-rotate command for fully unattended rotations against Resend and PostHog.
v00.00.18 — rotate_every policies and check-rotations with optional email summary via the user's own Resend key (zero infrastructure on our side).
v00.00.19 — GitHub OAuth device flow (returns an OAuth token, not a PAT — honest about the limit) and self-check aggregate command.

Full release notes →

Get it

GitHub repo → npm package Server / Windows install Discussions Sponsor ♥