Skip to Content
GuidesCredential Rotation

Credential Rotation

Agent credentials should be rotated regularly and after any suspected exposure. This guide covers the rotation lifecycle and how to achieve zero-downtime rotation.

Why rotate?

  • Periodic hygiene — rotate credentials on a regular schedule (e.g., every 90 days)
  • Suspected exposure — rotate immediately if a credential may have been leaked
  • Personnel changes — rotate when team members with access leave
  • Compliance — many security frameworks require regular credential rotation

How rotation works

Initiate rotation

In the Relynt dashboard, navigate to the agent’s Integration tab and click Rotate Credential.

Copy the new secret

The new plaintext secret is displayed exactly once. Copy it immediately to your secrets manager.

The secret cannot be retrieved after you close the modal. If you lose it, you must rotate again.

Update your agent’s environment

Replace the old secret in your agent’s runtime environment:

RELYNT_AGENT_SECRET=<new-secret-from-rotation>

Previous credential is revoked

The moment you rotate, the previous credential is automatically revoked. Any requests using the old credential will receive a 401 Unauthorized response.

Zero-downtime rotation

To rotate without interrupting your agent’s operations:

  1. Rotate the credential in the dashboard and copy the new secret
  2. Update your secrets manager or environment variables with the new secret
  3. Restart or redeploy your agent to pick up the new secret
  4. The transition happens in the time between rotation and redeployment

There is a brief window between rotation (old credential revoked) and redeployment (new credential active) where requests will fail. For critical agents, plan rotation during low-traffic periods.

Secret storage

Never store agent secrets in:

  • Source code or version control
  • Client-side code or browser storage
  • Unencrypted configuration files
  • Log files or debug output

Recommended storage:

PlatformSecret storage
KubernetesKubernetes Secrets
AWSAWS Secrets Manager or SSM Parameter Store
GCPGoogle Secret Manager
AzureAzure Key Vault
Local dev.env file (added to .gitignore)

Credential security model

  • Relynt stores only a hashed version of the credential
  • The plaintext is shown once at rotation time
  • Each agent has exactly one active credential at a time
  • Rotation is immediate — the old credential stops working right away
  • Credentials are scoped to a single agent within an organization
Last updated on
Slack SetupPolicy Design