Rotation And Lifecycle

Treat every credential as a lifecycle object: create, activate, rotate, deprecate, revoke.

Rotation cadence

• High-risk external integrations: 30-60 days.
• Internal service credentials: 60-90 days.
• Emergency rotation: immediately after suspected exposure.

Safe rotation sequence

1. Create new secret version in source of truth.
2. Update Zerq credential binding to new version or env key.
3. Run smoke test on one protected route.
4. Keep old credential valid briefly for rollback window.
5. Revoke old credential after successful observation period.

Verification checks

# After rotation, verify protected route still works
curl -i "https://gateway.example.com/v1/billing/health" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Client-ID: billing-cron" \
  -H "X-Profile-ID: prod-billing"

Expected gateway policy statuses

• 401 unauthenticated request.
• 403 unauthorized identity.
• 405 unsupported method.
• 429 over quota.

If only upstream secret is wrong, monitor for backend auth failure signals in request logs and mapped error payloads.

Related docs

• Credentials Overview
• Credential Types
• Secret Management