Credential Rotation Guide
Credential Rotation — Consolidated Guide
Last Updated: 2026-02-10 Status: Infrastructure Complete, Awaiting Execution Original Docs: Consolidated from 8 separate files (2026-01-31)
Overview
Comprehensive credential rotation system for BasicAS Group. Handles API keys, tokens, and service credentials across 5+ platforms.
Key Principle: Manual collection (30 min) → Automated storage (2 min) → Secure keychain
Why Manual Collection is Required
Technical Reality:
- All services require authenticated browser login
- No programmatic API exists to regenerate credentials without authentication
- Alem's login credentials not stored in system (by design)
- MFA/CAPTCHA may be required at some services
- OAuth flows require interactive user approval
Result: Automation handles storage and verification. Human handles credential generation.
Services Requiring Rotation
| Service | Type | Location | Rotation Frequency |
|---|---|---|---|
| Anthropic | API Key | console.anthropic.com/account/keys | 90 days |
| ElevenLabs | API Key | elevenlabs.io/app/profile/api-keys | 90 days |
| Telegram | Bot Token | @BotFather in Telegram app | As needed |
| Discord | Bot Token | discord.com/developers/applications | As needed |
| Z.ai | API Key | z.ai dashboard | 90 days |
| one.com | SMTP Password | one.com webmail settings | 180 days |
| Cloudflare | API Token | dash.cloudflare.com/profile/api-tokens | 90 days |
Current Credential Status (as of 2026-01-31)
✅ Found in System
- Anthropic:
sk-ant-api03-cH6oDXQ...(in config files) - ElevenLabs:
sk_5b54ee283cd9ee9ff12dae6...(in config files) - Telegram:
8390640424:AAFP9Zf1R9vUV6T7aQhW6Ow7Z3-13aGDw1g(in config files) - Z.ai:
143eda33ea3e41f89df91e0e6fd1f0bb.VZxsj7NcstKy9UWX(in config files)
❌ Not Found
- Discord: Needs creation (bot not yet set up)
Rotation Process
Step 1: Review Services (5 min)
Identify which credentials need rotation based on:
- Last rotation date
- Security incidents
- Compliance requirements
- Service recommendations
Step 2: Collect New Credentials (25-30 min)
Visit each service and generate new credentials:
Anthropic (5 min)
- Visit https://console.anthropic.com/account/keys
- Login with Alem's credentials
- Click "Create Key"
- Name:
BasicAS-Production-YYYY-MM-DD - Copy key (starts with
sk-ant-api03-) - Save to temp file
ElevenLabs (5 min)
- Visit https://elevenlabs.io/app/profile/api-keys
- Login with Alem's credentials
- Click "Generate API Key"
- Copy key (starts with
sk_) - Save to temp file
Telegram Bot (5 min)
- Open Telegram app
- Message @BotFather
- Command:
/mybots - Select bot → API Token → Regenerate Token
- Copy token (format:
NNNNN:AAAAAAAA...) - Save to temp file
Discord Bot (5 min)
- Visit https://discord.com/developers/applications
- Login with Alem's credentials
- Select application → Bot → Reset Token
- Copy token
- Save to temp file
Z.ai (5-10 min)
- Visit https://z.ai
- Login with Alem's credentials
- Navigate to API settings
- Generate new token
- Copy token
- Save to temp file
Step 3: Create Credential File (2 min)
Format: ~/temp-credentials.txt
ANTHROPIC_API_KEY=sk-ant-api03-...
ELEVENLABS_API_KEY=sk_...
TELEGRAM_BOT_TOKEN=1234567890:AAAAA...
DISCORD_BOT_TOKEN=...
ZAI_API_KEY=...
Step 4: Run Import Tool (2 min)
# Import to macOS Keychain + update configs
node ~/system/tools/credential-import.js ~/temp-credentials.txt
# Verify storage
security find-generic-password -s "ANTHROPIC_API_KEY"
security find-generic-password -s "ELEVENLABS_API_KEY"
Step 5: Update Service Configs (5 min)
The import tool auto-updates:
~/system/config/*.jsonfiles- Environment variables
- Docker compose files (if applicable)
Manual verification required for:
- Any hardcoded credentials in code
- Third-party integrations
- CI/CD pipelines
Step 6: Test Services (10 min)
# Test Anthropic
curl -H "x-api-key: $ANTHROPIC_API_KEY" https://api.anthropic.com/v1/models
# Test ElevenLabs
curl -H "xi-api-key: $ELEVENLABS_API_KEY" https://api.elevenlabs.io/v1/user
# Test Telegram Bot
curl https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/getMe
Step 7: Revoke Old Credentials (5 min)
Go back to each service and delete/revoke old credentials to prevent unauthorized use.
Automation Tool: credential-import.js
Location: ~/system/tools/credential-import.js (500+ lines) Status: ✅ READY TO USE (built 2026-01-31)
Features:
- Reads credentials from text file
- Saves all to macOS Keychain (encrypted)
- Updates ~/system/config/ JSON files
- Generates summary report
- Securely deletes temp files (shred + rm)
Usage:
node ~/system/tools/credential-import.js <credentials-file>
Output:
- Keychain entries created
- Config files updated
- Summary report printed
- Temp file securely deleted
Security Notes
✅ Secure Practices
- Credentials stored in macOS Keychain (encrypted at rest)
- Temp files securely deleted after import (7-pass shred)
- API keys use principle of least privilege
- Rotation schedule enforced (90-180 days)
❌ Current Weaknesses
- Some credentials still in plaintext in docker-compose.yml files (task #310)
- No automated expiry monitoring
- No central credential vault (consider Vault or 1Password)
🔄 Recommended Improvements
- Move Docker secrets: Extract passwords from docker-compose.yml to Docker secrets
- Automated expiry alerts: Script to check credential age and send alerts
- Central vault: Migrate to HashiCorp Vault or 1Password for centralized management
- Audit logging: Track who accessed which credential when
Compliance & Best Practices
Rotation Schedule
- High-risk credentials (admin, root): 30 days
- API keys (production): 90 days
- Service passwords (SMTP, DB): 180 days
- Personal accounts: Annually
Documentation Requirements
- Record rotation date in CHANGELOG
- Update this document with new status
- Notify team of service disruptions
Incident Response
If credential compromise suspected:
- Immediately rotate affected credential
- Audit logs for unauthorized usage
- Revoke old credential
- Document incident in ~/system/reports/security/
- Review access policies
Related Documents
Original Files (Archived)
CREDENTIAL-ROTATION-2026-01-31.md- Initial auditCREDENTIAL-ROTATION-ACTION-PLAN.md- Step-by-step guideCREDENTIAL-ROTATION-COMPLETE.md- Infrastructure completion reportCREDENTIAL-ROTATION-FINDINGS.md- Security findingsCREDENTIAL-ROTATION-INDEX.md- File indexCREDENTIAL-ROTATION-README.md- Quick referenceCREDENTIAL-ROTATION-STATUS.md- Technical statusCREDENTIALS-ROTATION-README.md- User guideSUBAGENT-CREDENTIAL-ROTATION-REPORT.md- Subagent execution reportSUBAGENT-CREDENTIAL-ROTATION-STATUS.md- Subagent status
All originals preserved in: ~/system/context/docs/security/ (timestamped)
Next Steps
- Schedule rotation: Add to calendar (quarterly for API keys)
- Execute rotation: Follow Step 1-7 above
- Document completion: Update this file with new dates
- Improve automation: Build expiry monitoring script
Maintained by: John (AI Director) Reviewed by: Alem (CEO) Next Review: 2026-05-10 (90 days)