rotate-cli docs

Reference

Adapters

16 auto + 4 manual-assist + 2 no-check = 22 providers supported.

What's a "mode"? auto adapters call provider APIs to mint and revoke keys. manual-assist adapters pause for the user to paste a new value from the provider dashboard (because the provider doesn't expose a rotation API). no-check adapters skip ownership detection entirely. Used for locally-generated secrets or alias adapters.

Auto adapters

Rotate unattended. Safe in CI and agent mode.

Clerk Logo Clerk Logo
clerk

Clerk

CLERK_SECRET_KEY, CLERK_WEBHOOK_SIGNING_SECRET

format-decode + PLAPI JWKS

OpenAI OpenAI
openai

OpenAI

OPENAI_API_KEY, OPENAI_ADMIN_KEY

api-introspection /v1/me

Anthropic Anthropic
anthropic

Anthropic

ANTHROPIC_API_KEY, ANTHROPIC_ADMIN_KEY

list-match admin API keys

Resend Resend
resend

Resend

RESEND_API_KEY

domain list-match

Supabase Logo Supabase Logo
supabase

Supabase

SUPABASE_SERVICE_ROLE_KEY, SUPABASE_ANON_KEY, SUPABASE_JWT_SECRET

JWT decode + project ref

Neon Neon
neon

Neon (API key)

NEON_API_KEY

GET /users/me

Neon Neon
neon-connection

Neon (DB)

DATABASE_URL, POSTGRES_URL, DATABASE_URL_UNPOOLED

endpoint id reverse-index

Vercel Logo Vercel Logo
vercel-token

Vercel token

VERCEL_TOKEN

GET /v5/user/tokens/current

Vercel Logo Vercel Logo
vercel-ai-gateway

Vercel AI Gateway

AI_GATEWAY_API_KEY

prefix + liveness probe

GitHub Invertocat GitHub Invertocat
github-token

GitHub token

GITHUB_TOKEN

prefix-routed /user or /installation

Upstash Logo Upstash Logo
upstash

Upstash Redis/Vector

UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN

sha256 token hash + endpoint

Polar Logo Polar Logo
polar

Polar

POLAR_ACCESS_TOKEN, POLAR_WEBHOOK_SECRET

GET /v1/organizations + hash

fal fal
fal

fal.ai

FAL_API_KEY, FAL_KEY

key_id list-match

ElevenLabs ElevenLabs
elevenlabs

ElevenLabs

ELEVENLABS_API_KEY

GET /v1/user

Turso Turso
turso

Turso

TURSO_AUTH_TOKEN, TURSO_DATABASE_URL

URL hostname decode

Exa Exa
exa

Exa

EXA_API_KEY

Team Management API

Manual-assist adapters

Require interactive TTY. Run with `apply --manual-only`.

Uploadthing Icon Uploadthing Icon
uploadthing

UploadThing

UPLOADTHING_TOKEN

token format-decode

Vercel Logo Vercel Logo
vercel-blob

Vercel Blob

BLOB_READ_WRITE_TOKEN

ownership only (no rotation API)

Trigger.dev Logo Trigger.dev Logo
trigger-dev

Trigger.dev

TRIGGER_SECRET_KEY

none

Firecrawl Firecrawl
firecrawl

Firecrawl

FIRECRAWL_API_KEY

none

No-check adapters

No ownership detection. Treat as self by default.

Vercel Logo Vercel Logo
vercel-kv

Vercel KV (legacy)

KV_REST_API_URL, KV_REST_API_TOKEN

delegates to upstash

Vercel Logo Vercel Logo
local-random

Local random

SESSION_SECRET, JWT_SECRET, HMAC_SECRET

n/a, generated locally

Env var → adapter mapping

scan matches env var names to adapters via a built-in regex. If your var isn't on this list, it shows up as "unmapped" in scan summary. File an issue or send a PR with the mapping.

Unmapped but known providers

Providers researched but not yet implemented (tier 3, low impact):

Full research reports at docs/adapter-research/unmapped/.