Secret Rotation Runbook
This runbook covers rotating secrets for a Factory app Worker without downtime.Principles
- Rotate one secret at a time.
- Deploy the new secret before revoking the old one (allows overlap).
- Wrangler secrets are encrypted at rest; rotation is atomic per-secret.
Wrangler secret commands
Rotation procedures by secret
JWT_SECRET
JWTs already issued will be invalidated immediately. Schedule during low-traffic.
DATABASE_URL / HYPERDRIVE_*
Neon connection string rotation involves the Neon console.
STRIPE_SECRET_KEY
STRIPE_WEBHOOK_SECRET
ANTHROPIC_API_KEY / GROK_API_KEY / GROQ_API_KEY
SENTRY_DSN
Sentry DSNs are not sensitive (they’re public endpoints). Rotation is only needed if the Sentry project is being deprecated.
GitHub Actions secrets
GitHub Actions secrets (used during CI/CD) are separate from Worker runtime secrets.Post-rotation verification checklist
- Worker
/healthreturns 200 - Auth endpoints issue and verify tokens correctly
- DB-backed endpoints return data
- Stripe webhook test event returns 200
- No new Sentry errors in the 15 minutes following rotation