Raxx · internal docs

internal · gated ↑ index

Rotation SOP — Anthropic API Key

Mode: operator-assisted Last validated: 2026-04-24 UTC Validation method: read-only-docs Average duration: 4m Required role: ops

Applies to: ANTHROPIC_API_KEY (and any per-environment / per-workspace keys, e.g., ANTHROPIC_API_KEY_AGENTS, ANTHROPIC_API_KEY_DEV). Used by Raxx agent infrastructure, Claude Code SDK integrations, and any backend that calls api.anthropic.com.

When to run

Scheduled rotation (cadence: every 90 days — recommended by Anthropic)
Operator-initiated (suspected compromise, off-cycle)
After incident (employee offboarding, accidental commit/log of key value, leaked-key recovery)

Prerequisites

[ ] Anthropic Console access at https://platform.claude.com/ via SSO (operator)
[ ] Workspace identified (if multiple keys exist across workspaces)
[ ] Existing key in Infisical with history
[ ] Downstream consumer list: Raxx agent runtime, Claude Code SDK invocations, any data-scientist agent integrations

Steps

1. Pre-rotation checks

# Confirm current key works against the Messages API
curl -sS https://api.anthropic.com/v1/messages \
  -H "x-api-key: $CURRENT_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
  | jq '.id'
# Expect: a message ID. Use a small/cheap model for the validation call.

2. Generate the new credential

Anthropic does not expose a programmatic rotation API. Console-only.

Navigate to https://platform.claude.com/settings/keys.
Click "+ Create Key".
Enter a descriptive name (recommended: raxx-prod-rotation-2026-04-24).
(Optional) Assign to a workspace if using workspace segmentation.
Click Add.
Copy the new key value immediately — shown once.
Do NOT revoke the old key yet (that's step 7).

3. Validate the new credential

NEW_KEY="..."
curl -sS https://api.anthropic.com/v1/messages \
  -H "x-api-key: $NEW_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
  | jq '.id'
# Expect: a message ID.

4. Store in Infisical

infisical secrets set ANTHROPIC_API_KEY="$NEW_KEY" \
  --projectId="$INFISICAL_PROJECT_ID" --env=prod

5. Propagate to downstream consumers

Consumer	How
Raptor (raxx-api-prod)	`heroku config:set ANTHROPIC_API_KEY="$NEW_KEY" -a raxx-api-prod`
Agent runtime / Claude Code SDK invocations	per its app's config-var path
GitHub Actions (if any agent jobs run in CI)	`gh secret set ANTHROPIC_API_KEY -b "$NEW_KEY"`
Operator local zshrc	DM via Slack `D0AJ7K184TV`

6. Verify downstream

# Hit a Raptor endpoint that calls Anthropic on the backend
curl -sS https://api.raxx.app/api/agents/health | jq '.anthropic'
# Expect: {"ok": true, ...}

heroku logs --tail -a raxx-api-prod | grep -iE 'anthropic|claude'
# Expect: no 401/403 from api.anthropic.com after dyno restart.

For agent jobs, run a small end-to-end agent invocation and confirm it completes.

7. Revoke the old credential

Anthropic Console → Settings → Keys (https://platform.claude.com/settings/keys).
Locate the OLD key by name.
Click Revoke.
Confirm.

Verify:

curl -sS -o /dev/null -w "%{http_code}\n" https://api.anthropic.com/v1/messages \
  -H "x-api-key: $OLD_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}'
# Expect: 401

Anthropic notes: "When you revoke a key, it stops working immediately."

8. Audit log entry

action: secret.rotate.completed
actor: <admin_id>
context: {
  "secret_name": "ANTHROPIC_API_KEY",
  "method": "operator-assisted-console",
  "workspace": "<name or default>"
}

Rollback

Until step 7, both old and new keys are valid. To roll back:

Revert Heroku config vars to the OLD key (from Infisical history).
Restart dynos.
Skip step 7.
Investigate the new key's failure; redo from step 2 with a fresh create.

After step 7 (revoke), the old key is dead and unrecoverable. Generate a brand-new key.

Vendor doc references

API key best practices: https://support.claude.com/en/articles/9767949-api-key-best-practices-keeping-your-keys-safe-and-secure
Console settings: https://platform.claude.com/settings/keys
Workspace segmentation: https://platform.claude.com/settings/workspaces
Getting started (auth header x-api-key): https://platform.claude.com/docs/en/api/getting-started

Known gotchas

No programmatic rotation. Console only.
x-api-key header, not Authorization: Bearer .... Different from most SaaS APIs.
Workspace-scoped keys segment usage. If we use workspaces, ensure rotation happens in the correct workspace; a key from a different workspace will authenticate but bill against the wrong cost center.
Revoke is immediate. Plan propagation to complete before clicking Revoke.
Rate limits and tier may differ between keys in different workspaces. Validate that the new key has the rate limits the consumer expects (visit https://platform.claude.com/settings/limits).
Validation calls cost money. Use the cheapest model (claude-haiku-4-5) and max_tokens: 10.

Auto-generated from docs/ in raxx-app/TradeMasterAPI. Gated behind Cloudflare Access. Re-deployed on every push to main.