API Key Management
This page covers how to rotate, revoke, monitor, and securely manage your Anthropic API key in RepoRisk.
Overview
Once your API key is configured in RepoRisk, you may need to:
- Rotate your key periodically for security (create a new key and retire the old one)
- Revoke your key immediately if it's compromised or you no longer need it
- Monitor usage to ensure your Anthropic account is being used as expected
- Update billing if your payment information changes
This guide walks you through each task.
Key Rotation
Key rotation is the process of creating a new API key and retiring the old one. This is a best practice for security and helps you manage which keys are active.
When to Rotate Your Key
- Periodically: Every 90 days as part of regular security maintenance
- After a team member leaves: If an employee with access to the key departs
- After suspected compromise: If you suspect the key may have been exposed
- When switching accounts: If you want to use a different Anthropic account
How to Rotate Your Key
Follow these steps to safely rotate your key with zero downtime:
Step 1: Generate a New Key in Anthropic Console
- Log in to Anthropic Console
- Go to API Keys in the left sidebar
- Click + Create Key or Generate New Key
- Enter a descriptive name (e.g.,
RepoRisk Production - v2) - Click Create or Generate
- Copy the new key immediately — it will only be shown once
Step 2: Update Your Key in RepoRisk
- Log in to RepoRisk at https://app.canirunthat.com
- Click Settings in the top navigation
- Find the Anthropic API Key section
- Click in the API Key input field
- Clear the old key (select all and delete)
- Paste your new key
- Click Save or Update
- Verify the key was saved successfully (look for a success message or green checkmark)
At this point, your new key is active and RepoRisk will use it for all new scans.
Step 3: Revoke the Old Key in Anthropic Console
Once you've verified that the new key is working in RepoRisk (by successfully using it for a scan), you can safely revoke the old key:
- Log in to Anthropic Console
- Go to API Keys
- Find the old key in the list
- Click the Delete or Revoke button next to the old key
- Confirm the deletion
The old key is now inactive and cannot be used.
Important: Do not revoke the old key until you've confirmed that the new key is working in RepoRisk. If you revoke too early, your scans will fail.
Emergency Revocation
If you suspect your API key has been compromised, you must revoke it immediately:
Signs Your Key May Be Compromised
- Unexpected charges on your Anthropic account
- Unusual API usage in your Anthropic Console
- Your key was accidentally shared or exposed (e.g., committed to a public GitHub repo)
- A team member with access to the key no longer works for you
Steps for Emergency Revocation
-
Revoke immediately in Anthropic Console:
- Log in to Anthropic Console
- Go to API Keys
- Find the compromised key
- Click Delete or Revoke
- Confirm deletion — the key is now inactive
-
Generate a new key (follow the Key Rotation steps above)
-
Update RepoRisk immediately:
- Log in to RepoRisk
- Go to Settings → Anthropic API Key
- Update with your new key
- Click Save
-
Monitor your Anthropic account for suspicious activity over the next 24 hours
Once revoked, the compromised key cannot be used. Any subsequent API calls using that key will fail.
Effect of Key Revocation on Scans
When you revoke your API key:
- In-progress scans will fail: Any scan that's currently running will stop and fail with an error message
- Pending scans will fail: Scans waiting to start will not start and will show a failure status
- Future scans will fail: New scan submissions will fail until you update your key in RepoRisk
To resume scanning, update your API key in RepoRisk Settings with a new, active key.
Monitoring API Usage
You can track how much your Anthropic account is being used by RepoRisk:
- Log in to Anthropic Console
- Go to Billing or Usage
- View your API usage (typically shows tokens used, costs, and trends)
- Check for unexpected usage patterns or high costs
- Review your usage regularly to ensure it matches your expectations
If you see unexpected usage, it could indicate:
- Your key was compromised — revoke it immediately
- A team member is using the key for another purpose — clarify with them
- Your scans are using more tokens than expected — contact RepoRisk support
Managing Multiple Keys
If you have multiple Anthropic API keys, you can use them for different purposes:
- RepoRisk key: Dedicated key for RepoRisk scanning
- Development key: Separate key for testing or development
- Team keys: Different keys for different teams or applications
This approach makes it easier to:
- Revoke one key without affecting others
- Track usage per application or team
- Limit the blast radius if a key is compromised
To use a different key in RepoRisk, update it in Settings → Anthropic API Key following the rotation steps.
Key Security Best Practices
Do's
- ✓ Create dedicated keys for each service or team
- ✓ Rotate keys regularly (every 90 days or after suspected compromise)
- ✓ Monitor usage in your Anthropic Console
- ✓ Use different keys for different environments (production vs. staging)
- ✓ Document which key is used where (e.g., "RepoRisk Production" key for RepoRisk)
- ✓ Revoke old keys after rotation to reduce exposure
Don'ts
- ✗ Do not reuse keys across multiple services
- ✗ Do not share keys with team members (each person should have their own key or use shared credentials through RepoRisk's built-in key management)
- ✗ Do not commit keys to version control (Git, GitHub, etc.)
- ✗ Do not share keys in chat, email, or documents — use secure credential sharing
- ✗ Do not use test or development keys in production
- ✗ Do not forget to revoke old keys after rotation
Troubleshooting Key Issues
My Key Stopped Working
- Check if your Anthropic account still has billing enabled (see Set Up Your Anthropic Account)
- Check if your key was revoked or deleted in Anthropic Console
- Try refreshing RepoRisk and retrying a scan
- Check the BYOK Troubleshooting Guide for error-specific solutions
I Forgot to Copy My New Key
If you created a new key in Anthropic Console but forgot to copy it:
- Log in to Anthropic Console
- Go to API Keys
- Find the new key and click Delete or Revoke (you cannot retrieve the full key once you navigate away)
- Create a new key and copy it immediately
- Update RepoRisk with the new key
My Old Key Still Works After Revocation
This should not happen. If you find that an old key is still working after you revoked it:
- Verify that you revoked the correct key in Anthropic Console
- Revoke it again to be sure
- Wait a few minutes for the revocation to propagate
- If the issue persists, contact Anthropic support
FAQ
Q: How often should I rotate my key?
A: Every 90 days is a good practice, or sooner if you suspect compromise.
Q: What happens to in-progress scans if I rotate my key?
A: If you update the key in RepoRisk while scans are running, those scans should complete using the new key. There's no need to stop scans before rotating.
Q: Can I have multiple keys active in RepoRisk at once?
A: No, RepoRisk uses a single configured key. If you need to use a different key, update it in Settings.
Q: What's the difference between revoking and rotating?
A: Rotating means creating a new key and retiring the old one (best practice). Revoking means immediately deactivating a key (usually for security reasons). Rotation is planned; revocation is urgent.
Q: If I delete my API key by mistake, can I restore it?
A: No, deleted keys cannot be restored. You must create a new key in Anthropic Console.
Additional Resources
- BYOK Configuration — How to configure your key in RepoRisk
- BYOK Troubleshooting — Resolve key configuration errors
- BYOK Overview — Learn more about BYOK and plan tiers
- Anthropic Console — Manage your API keys and billing