Good providers let you limit what a key can do (scopes) and let you revoke it instantly. Your operational habit should be: least privilege, and rotate after drama (leak suspicion, employee offboarding, “I pasted it in Discord by accident”).
Prefer keys that can only read billing — or only call one model — over “god mode” project keys. If Coffee or a script only needs embeddings, do not hand it a key that can delete databases.
Create a new key in the provider dashboard, update KEY1-CORE (or your server env), verify the app works, then delete the old key. Keep downtime minimal by overlapping briefly if the provider allows two active keys.
Treat “revoke” as the first button you reach for when a key might be compromised. Removing the value from the vault alone does not invalidate it at the provider — you must still kill it in their console.
OAuth tokens often expire on their own; refresh flows re-acquire them. Long-lived API keys do not — until you revoke manually. Know which pattern each row in your vault uses.