Rotate API keys

When to rotate

Scheduled: every 90 days for prod provider keys (OpenAI, Anthropic, etc.)
Ad hoc: immediately on suspected leak
On employee offboarding: any key the employee had seen in plaintext

Customer `tp_` keys

Customer keys are revoked, not rotated (customers self-serve new ones).

# Revoke
gcloud --project=tappass-prod sql connect tappass-prod-pg \
  --user=tappass-ops
# in psql:
UPDATE api_keys SET revoked_at = now() WHERE key_id = 'kid_01JC...';

A revoked key returns 401 revoked on the next call. Audit event fires with key.revoked kind.

Provider keys (OpenAI, Anthropic, etc.)

Provider keys live in Google Secret Manager. The core server reads them on boot and caches in process memory.

Zero-downtime rotation

Add the new secret version:

gcloud secrets versions add openai-api-key-prod \
  --data-file=- <<< "sk-new-key-here"

Roll the Cloud Run revision:

gcloud run services update tappass \
  --region=europe-west1 \
  --update-secrets=OPENAI_API_KEY=openai-api-key-prod:latest

Cloud Run rolls the new revision 10% → 100% with health checks.

Verify:

# Hit the health check from an agent — it exercises the OpenAI client
curl -H "Authorization: Bearer tp_ops_..." \
  https://app.tappass.ai/health/providers

After 24 h, disable the old secret version:
Terminal window
```
gcloud secrets versions disable openai-api-key-prod --version=N-1
```
Keep it disabled for 30 days; then destroy.

Audit signing keys

Do not rotate without a migration plan. Audit signing keys anchor hash-chain integrity — rotating mid-stream breaks /audit/integrity.

Process is documented separately in the tappass/ repo under docs/runbooks/audit-key-rotation.md and requires coordination with compliance.

SSH keys

Personal GitHub SSH keys — rotate yearly or on device change:

ssh-keygen -t ed25519 -C "firstname@tappass.ai"
# upload to GitHub → Settings → SSH keys
# remove the old key after you've confirmed the new one works