Secret rotation

Last updated: Feb 16, 2026

Key rotation is essential when dealing with sensitive data. The best way to prevent key leakage is by changing keys regularly. Our rotation cycles are as follows:

KMS keys: every year or earlier if necessary
JWT tokens: daily
Digital certificates: every 30 days
IAM passphrases: every three months

We make rotations in the following two ways:

Automatic rotation: Some secrets are stored in secret vaults. They are only accessible by administrators and are rotated daily. These secrets include JWT tokens, IAM passphrases and digital certificates.
Manual rotation: Some secrets are stored versioned and encrypted in Git repositories using AES-256 symmetric keys. They are treated as code, which means that manual approval is required to rotate them. These secrets include KMS keys and other application credentials.

Requirements

089. Limit validity of certificates
130. Limit password lifespan
145. Protect system cryptographic keys

Other secure authorization measures

Access revocation
Authorization for clients
Authorization for Fluid Attacks staff
Employee termination
Endpoint management
Session management

Secret rotation

Requirements

Other secure authorization measures

On this page