Skip to content
reaatechREAATECH

Files · Automated API key rotation for LLM providers with zero downtime

78 (1 binary, 536.3 kB total)attempt 2

Download example (zip)Back to tutorial
README.md·3693 B·markdown
markdown
# Automated API Key Rotation for LLM Providers
 
Rotating LLM API keys manually causes outages. This solution provides zero-downtime automated rotation with pre/post validation.
 
## Solution
 
CLI + Hono API server + REAA rotation engine + provider adapters.
 
## Architecture
 
A CLI and Hono-based API server expose rotation, validation, and status operations. The `LlmRotationService` orchestrator wraps `@reaatech/secret-rotation-core` to drive key lifecycle, delegating validation to OpenAI and Anthropic SDKs and secret storage to AWS Secrets Manager and Vercel Environment Variables. The sidecar server streams SSE events, and observability is handled via structured logging and Prometheus metrics.
 
## REAA Packages
 
| Package | Role |
|---|---|
| `@reaatech/secret-rotation-core` | Rotation engine (`RotationManager`, key lifecycle) |
| `@reaatech/secret-rotation-sidecar` | HTTP sidecar integration (`SidecarServer`, SSE events) |
| `@reaatech/secret-rotation-provider-aws` | AWS Secrets Manager adapter |
| `@reaatech/secret-rotation-provider-vercel` | Vercel environment variable adapter |
| `@reaatech/secret-rotation-observability` | Logging and Prometheus metrics |
| `@reaatech/secret-rotation-types` | Shared TypeScript types and interfaces |
 
## Third-Party Integrations
 
- **OpenAI SDK** — key validation via `openai` package
- **Anthropic SDK** — key validation via `@anthropic-ai/sdk`
- **AWS SDK** — secret storage via `@aws-sdk/client-secrets-manager`
- **Vercel API** — environment variable management
 
## Quick Start
 
```bash
pnpm install
cp .env.example .env   # configure your providers and secrets
npx srotation server
```
 
## CLI Usage
 
```bash
srotation rotate [--name <secret>]          # Rotate a specific secret
srotation validate [--name <secret>]        # Validate a specific secret
srotation status [--name <secret>]          # Show rotation status
srotation server [--port <port>]            # Start the API server
```
 
Flags: `--name` limits the operation to a single secret; `--port` sets the server port (default `3210`).
 
## API Reference
 
All endpoints are served by the Hono API server.
 
| Method | Path | Description |
|---|---|---|
| GET | `/health` | Health check returning `{ status: "ok" }` |
| GET | `/secrets` | List all managed secrets |
| GET | `/secrets/:name` | Get details for a named secret |
| POST | `/rotate` | Rotate all managed secrets |
| POST | `/secrets/:name/rotate` | Rotate a single named secret |
| GET | `/metrics` | Prometheus metrics endpoint |
| GET | `/events` | SSE stream of rotation events |
 
## Configuration
 
| Variable | Description |
|---|---|
| `SRK_PROVIDER` | Secret provider: `aws` or `vercel` |
| `SRK_AWS_REGION` | AWS region for Secrets Manager |
| `SRK_AWS_ENDPOINT` | AWS endpoint override (optional) |
| `SRK_VERCEL_TOKEN` | Vercel API token |
| `SRK_VERCEL_PROJECT_ID` | Vercel project ID |
| `SRK_VERCEL_TEAM_ID` | Vercel team ID (optional) |
| `SRK_VERCEL_TARGET` | Vercel environment target: `production`, `preview`, `development` |
| `OPENAI_API_KEY` | OpenAI API key for validation |
| `ANTHROPIC_API_KEY` | Anthropic API key for validation |
| `SRK_PORT` | Server port (default `3210`) |
| `SRK_HOST` | Server host (default `0.0.0.0`) |
| `SRK_AUTH_TOKEN` | Bearer token for API authentication |
| `SRK_CORS_ORIGIN` | Allowed CORS origin |
| `SRK_LOG_LEVEL` | Log level: `debug`, `info`, `warn`, `error` |
| `SRK_LOG_STRUCTURED` | Enable structured JSON logging (`true`/`false`) |
| `SRK_ROTATION_INTERVAL_MS` | Automatic rotation interval in milliseconds |
| `SRK_SECRETS` | JSON array of secret definitions |
 
## Development
 
```bash
pnpm typecheck
pnpm lint
pnpm test
```
 
## License
 
MIT