How do I rotate an OpenAI API key after it leaks?

Short answer

Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every environment (Vercel, GitHub Actions, .env). Contact OpenAI support within 7 days for fraud reversal if the key was used.

Exact steps:

  • **Revoke**: platform.openai.com/api-keys → click the old key → Revoke. Takes effect in seconds.
  • **Create replacement**: Issue a new key. Scope it tightly if you can (project-scoped keys + restricted scopes).
  • **Rotate**: Update every place the key is used. - Vercel: Settings → Environment Variables → update - GitHub Actions: Settings → Secrets - Local: .env / .env.local — delete old, add new - Docker: rebuild images
  • **Audit usage**: platform.openai.com/usage — look for anomalies in the last 24-48 hours.
  • **Fraud ticket**: If you see usage you didn't authorize, open a support ticket with OpenAI. They reverse fraud within 7 days given evidence (commit hash + rotation timestamp + usage graph).
  • **Prevent next leak**: enable per-project spend caps; enable GitHub push protection; never prefix with NEXT_PUBLIC_.

People also ask

How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv
What happens if my Stripe key leaks?
An attacker with your Stripe secret key can issue refunds to their own cards, pull customer metadata, and create fraudul