Raxx · internal docs

internal · gated

Rotation SOP — Anthropic API Key

Mode: operator-assisted Last validated: 2026-04-24 UTC Validation method: read-only-docs Average duration: 4m Required role: ops

Applies to: ANTHROPIC_API_KEY (and any per-environment / per-workspace keys, e.g., ANTHROPIC_API_KEY_AGENTS, ANTHROPIC_API_KEY_DEV). Used by Raxx agent infrastructure, Claude Code SDK integrations, and any backend that calls api.anthropic.com.

When to run

Prerequisites

Steps

1. Pre-rotation checks

# Confirm current key works against the Messages API
curl -sS https://api.anthropic.com/v1/messages \
  -H "x-api-key: $CURRENT_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
  | jq '.id'
# Expect: a message ID. Use a small/cheap model for the validation call.

2. Generate the new credential

Anthropic does not expose a programmatic rotation API. Console-only.

  1. Navigate to https://platform.claude.com/settings/keys.
  2. Click "+ Create Key".
  3. Enter a descriptive name (recommended: raxx-prod-rotation-2026-04-24).
  4. (Optional) Assign to a workspace if using workspace segmentation.
  5. Click Add.
  6. Copy the new key value immediately — shown once.
  7. Do NOT revoke the old key yet (that's step 7).

3. Validate the new credential

NEW_KEY="..."
curl -sS https://api.anthropic.com/v1/messages \
  -H "x-api-key: $NEW_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
  | jq '.id'
# Expect: a message ID.

4. Store in Infisical

infisical secrets set ANTHROPIC_API_KEY="$NEW_KEY" \
  --projectId="$INFISICAL_PROJECT_ID" --env=prod

5. Propagate to downstream consumers

Consumer How
Raptor (raxx-api-prod) heroku config:set ANTHROPIC_API_KEY="$NEW_KEY" -a raxx-api-prod
Agent runtime / Claude Code SDK invocations per its app's config-var path
GitHub Actions (if any agent jobs run in CI) gh secret set ANTHROPIC_API_KEY -b "$NEW_KEY"
Operator local zshrc DM via Slack D0AJ7K184TV

6. Verify downstream

# Hit a Raptor endpoint that calls Anthropic on the backend
curl -sS https://api.raxx.app/api/agents/health | jq '.anthropic'
# Expect: {"ok": true, ...}

heroku logs --tail -a raxx-api-prod | grep -iE 'anthropic|claude'
# Expect: no 401/403 from api.anthropic.com after dyno restart.

For agent jobs, run a small end-to-end agent invocation and confirm it completes.

7. Revoke the old credential

  1. Anthropic Console → Settings → Keys (https://platform.claude.com/settings/keys).
  2. Locate the OLD key by name.
  3. Click Revoke.
  4. Confirm.

Verify:

curl -sS -o /dev/null -w "%{http_code}\n" https://api.anthropic.com/v1/messages \
  -H "x-api-key: $OLD_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  --data '{"model":"claude-haiku-4-5","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}'
# Expect: 401

Anthropic notes: "When you revoke a key, it stops working immediately."

8. Audit log entry

action: secret.rotate.completed
actor: <admin_id>
context: {
  "secret_name": "ANTHROPIC_API_KEY",
  "method": "operator-assisted-console",
  "workspace": "<name or default>"
}

Rollback

Until step 7, both old and new keys are valid. To roll back:

  1. Revert Heroku config vars to the OLD key (from Infisical history).
  2. Restart dynos.
  3. Skip step 7.
  4. Investigate the new key's failure; redo from step 2 with a fresh create.

After step 7 (revoke), the old key is dead and unrecoverable. Generate a brand-new key.

Vendor doc references

Known gotchas