Introduction
rotate-cli
Agent-first secrets rotation. Local-first. Zero servers.
rotate-cli rotates API keys and secrets across 22 providers
(Clerk, OpenAI, Anthropic, Resend, Neon, Supabase, Upstash, Vercel, and
more), then propagates the new values to every downstream consumer
(Vercel env vars, GitHub Actions secrets, local .env files).
The master credentials never leave your machine.
Why build this? April 2026 Vercel breach exposed ~1,500 env vars across 500 projects. Rotating that by hand takes days and breaks production. rotate-cli does it in minutes with a fail-forward grace period and verify-based revoke.
Install
# Clone + build from source (npm publish pending) $ git clone https://github.com/crafter-station/rotate-cli $ cd rotate-cli && bun install $ bun link # exposes `rotate-cli` globally
Three commands, one flow
The whole tool is three commands that build on each other. If you have a Vercel token, you don't need a config file.
- scan. Enumerate every env var across every Vercel project you can see. Maps each to a rotate-cli adapter.
- who. For each mapped secret, decide whether it belongs to you, to someone else on the team, or can't be determined. Avoids rotating a teammate's keys and charging your billing.
- apply. Rotate, propagate, verify, grace,
revoke. Splits into
--auto-only(unattended, fast) and--manual-only(interactive for dashboard-only providers).
The agent contract
Every command emits a JSON envelope (or pretty output for humans). In
agent mode, the CLI refuses any action missing --reason,
--yes, or --max-rotations. Manual-assist
adapters auto-fail in agent mode because agents can't paste dashboard values.
$ ROTATE_CLI_AGENT_MODE=1 rotate-cli apply \ --from-scan --yes \ --reason "vercel-apr-2026 breach response" \ --max-rotations 50 \ --audit-log ./audit.log
Next
- Quickstart in 5 minutes with a 2-key pilot
- Adapters reference covering all 22 providers
- Agent mode guardrails. What agents can and can't do.