Rotating API keys is routine maintenance — until it causes a production incident. The window between revoking an old key and deploying a new one is where things break: services return 401s, alerts fire, and someone spends 20 minutes tracing an outage back to a key swap they thought was safe. This article covers two patterns that make rotation genuinely zero-downtime, with working code for both.

Why Naive Rotation Breaks Things

The standard advice: generate a new key, update your environment variable, redeploy. Simple. But this creates a race condition that's easy to miss in testing and painful in production:

T=0: Old key revoked

T=+N (seconds to minutes): New key propagated to all running instances