Secrets Rotation Card
Secret rotation panel listing active secrets with age nudges, masked prefixes, and a rotate button that keeps the old secret valid for 24 hours.
Secret rotation panel listing active secrets with age nudges, masked prefixes, and a rotate button that keeps the old secret valid for 24 hours.
The Application Collection unlocks the source for every Application block. All Access unlocks every Collection.
Already purchased? Log in
Secrets Rotation Card lists three active secrets, a Webhook signing secret on Production at 102 days old, an OAuth client secret at 113 days old, and a Preview webhook secret at 40 days. The two over-90-day entries carry an age badge and the honest nudge: rotating periodically limits the blast radius of a leak. Each row pairs a masked prefix like whsec_4f2k...c8e1 with its created and last-rotated dates.
Secrets are one typed array; the 90-day threshold is a named constant so the nudge condition reads as intent. The footer note explains the 24-hour overlap window so operators know nothing breaks mid-flight when they rotate.
Reach for this block on the developer settings or security page, wired to your secrets API and scoped to the signed-in workspace. Wire the Rotate now button to your key-rotation endpoint.
A natural flow around it on an Application Pro page:
Before
After
One strong use is the webhook and OAuth secret panel. Other rotation cards:
Tip: the 24-hour drain window note belongs in the UI, not the changelog; operators read it at rotation time, not before.