Back to Infisical

Secret Rotation

docs/documentation/platform/secrets-mgmt/concepts/secrets-rotation.mdx

0.162.32.0 KB
Original Source

What is Secret Rotation?

Secret rotation is the process of regularly replacing credentials like API keys, database passwords, and tokens to reduce the risk of long-term exposure. Even if a secret is compromised, frequent rotation limits how long it can be used.

Without rotation, secrets often go unchanged for months or years: hardcoded in codebases, embedded in CI pipelines, or shared across environments. Over time, this increases the risk of leaks, misuse, and operational blind spots.

Secret Rotation in Infisical

Infisical automates rotation using a rolling lifecycle model where new credentials are issued on a fixed schedule with previous ones remaining temporarily valid to give systems time to update without disruption. Each secret moves through three phases: active, inactive, and eventually revoked. This ensures that applications continue to function smoothly throughout the rotation process.

When rotation is applicable for a given secret type, using it is strongly recommended. Infisical supports configuring automatic rotation for a growing set of use cases including PostgreSQL, MySQL, Microsoft SQL Server, OracleDB, LDAP, AWS IAM users, Azure and Okta client secrets, and more.

Next Steps

<CardGroup cols={2}> <Card title="Set Up Secret Rotation" icon="rotate" href="/documentation/platform/secret-rotation/overview"> Configure automatic rotation for your credentials. </Card> <Card title="Browse Supported Rotations" icon="grid-2" href="/integrations/secret-rotations"> Explore all systems Infisical can rotate credentials for. </Card> </CardGroup>