Credential Rotator
Detect exposed credentials and automatically rotate them. Find leaked API keys, tokens, and passwords before attackers do.
Get the CLI Tool
Run the credential rotator locally as an MCP server, or try the scanner online below.
npx @clinetools/cred-rotator- Detects 50+ credential patterns: AWS, GitHub, OpenAI, Stripe, and more
- Scans .env files, config files, source code, and CI/CD pipelines
- Auto-rotation: revoke old credential and generate new one via provider APIs
- Updates all references across your codebase after rotation
- Preference conversation on first run — choose scan depth and auto-rotate behavior
How to Use It
Detect leaked credentials and rotate them before they're exploited.
Try Online
Paste code or config below to scan for exposed credentials — no install needed.
Use via CLI
Scan your entire project. The tool asks your preferences on first run.
Add to Cline / Claude Code
Your agent detects exposed credentials automatically and offers to rotate them.
MCP Client Configuration
{
"mcpServers": {
"cred-rotator": {
"command": "npx",
"args": ["@clinetools/cred-rotator"]
}
}
}Example: Rotate an Exposed Key
// Prompt to your AI agent:
"This API key was exposed in a commit -
rotate it and update all config files"
// The agent calls:
rotate_credential({
type: "aws_access_key",
current: "AKIA...",
scan_references: true
})
// Output:
// 1. Old key revoked via AWS IAM API
// 2. New key generated
// 3. Updated in: .env, deploy.yml, config.ts
// 4. Verified all references updatedPreference Conversation (First Run)
// On first run, the tool asks: 1. "What should I scan?" [x] Source code files [x] .env and config files [x] CI/CD pipeline files [ ] Git history (slower, thorough) 2. "When I find exposed credentials, should I?" [ ] Auto-rotate immediately [x] Ask before rotating each one [ ] Report only, don't rotate 3. "Which providers can I auto-rotate?" [x] AWS (IAM key rotation) [x] GitHub (token regeneration) [ ] Stripe (requires dashboard) [ ] OpenAI (manual rotation only) // Preferences saved to .clinetools/cred-rotator.json
Try It Online
Paste code or config files to scan for exposed credentials.
Paste Code or Config
We check against 50+ credential patterns from major cloud providers
Paste code and click Scan for Credentials to detect exposed secrets.
Findings
Why Credential Rotation Matters
A leaked credential is an open door. The average time to exploit a leaked key is under 10 minutes.
Bots Scan GitHub 24/7
Automated bots continuously scan every public commit on GitHub for credentials. AWS keys pushed to a public repo are typically exploited within 10 minutes for crypto mining or data theft.
Git History Never Forgets
Deleting a secret from your code isn't enough — it's still in git history. Force-pushing doesn't help if the repo was already cloned. You must rotate the credential to truly revoke access.
Rotation Limits Blast Radius
Regular rotation means even if a key is stolen, it stops working soon. Short-lived credentials (hours not years) dramatically reduce the window an attacker has to exploit a leak.
Compliance Requires It
PCI DSS, SOC 2, HIPAA, and ISO 27001 all require credential rotation policies. Automated rotation with audit trails gives you compliance documentation for free.
AI Agents Generate Configs
When AI agents write deployment configs, they sometimes hardcode credentials from context. A credential scanner catches these before they reach version control — your safety net before git push.
Rotate Secrets Before They're Exploited
Add the Credential Rotator to your agent's toolkit and catch leaks automatically.
View Plans