Secret rotation is the practice of replacing credentials, API keys, tokens, certificates, or other secrets with new ones so any copy that was exposed or stolen can no longer be used. The old secret is revoked or expires, and systems are updated to trust the replacement.
It matters because attackers often look for secrets in source code, configuration files, browser sessions, CI logs, and developer workstations. If an extension, endpoint, or repository leaks a token, rotation limits the blast radius and cuts off continued access. In real defenses, teams rotate secrets after suspected exfiltration, then review where the old secret was used, revoke related sessions, and deploy the new credential across apps and pipelines. Good secret management also means using short-lived tokens, automating rotation, and avoiding hard-coded credentials wherever possible.



