Skip to main content

Introduction

Secret rotation is a security best practice that involves systematically updating credentials and access tokens at regular intervals to minimize the risk of compromise. By proactively replacing existing secrets with new ones, organizations reduce the potential impact of credential theft or leakage. Examples of rotated secrets include:
  • API keys and authentication tokens for cloud services and third-party integrations
  • Database credentials across production, staging, and development environments

How Rotation Works

Infisical supports two rotation models: Dual-Phase (used by most providers) and Single-Phase. Select a tab below to learn how each model works.
Dual-phase rotation is the recommended approach that ensures zero downtime for your applications. This model systematically replaces secrets at regular intervals using an overlapping lifecycle that maintains continuous availability while enhancing your security posture.

Visual Timeline

Credential States

Each set of credentials transitions through three distinct states:
  • Active: The primary credentials
  • Inactive: These credentials are still valid, but will be revoked in the next rotation
  • Revoked: Permanently invalidated and deleted from the system

Rotation Cycle Example (30-Day Interval)

Using a 30-Day rotation interval as an example, here’s how the process unfolds:
  1. Day 0
    • Credential set 1 is issued and set to Active
    • Applications begin using this set for authentication
  2. Day 30
    • Credential set 2 is issued and set to Active
    • Credential set 1 transitions to Inactive but remains valid
    • New applications will utilize set 1, while existing applications with set 1 continue to work
    This overlapping validity period ensures that at any point during the active period of a credential set, you are guaranteed that retrieved credentials will be valid for the specified rotation period.
  3. Day 60
    • Credential set 3 is issued and set to Active
    • Credential set 2 transitions to Inactive but remains valid
    • Credential set 1 is Revoked and securely deleted
    • By now, all applications should have transitioned to using set 2 or 3
  4. Day 90
    • Credential set 4 is issued and set to Active
    • Credential set 3 transitions to Inactive but remains valid
    • Credential set 2 is Revoked and securely deleted
    • The cycle continues…

Benefits

  • Zero Downtime: Applications always have valid credentials
  • Grace Period: The inactive period gives applications time to update to new credentials
  • Reduced Risk: Credentials are regularly cycled, limiting the impact of potential compromise
  • Predictable Schedule: Makes credential management more systematic and easier to automate

Implementation Considerations

  • Choose a rotation interval appropriate for your security requirements and operational needs
  • Ensure your applications can handle credential updates gracefully
  • Monitor for applications still using credentials nearing revocation