Security advisory: rotate your model API keys
If you stored OpenAI/Anthropic keys in Reflectt Cloud, rotate them as a precaution and update your team secrets.
What this is
If you stored OpenAI/Anthropic keys in Reflectt Cloud, rotate them as a precaution and update your team secrets.
Before you start
No special prerequisites called out for this guide.
Next best move
If you want help validating that rotation was successful, contact support via the **Help** page in the app.
We recently fixed an authorization bug affecting host-scoped secret reads.
Out of an abundance of caution, rotate any model provider API keys (OpenAI / Anthropic) you stored in Reflectt Cloud, then update your team secrets.
Who should rotate keys?
Rotate keys if either is true:
- You entered an OpenAI or Anthropic API key during onboarding
- You have connected hosts that pull secrets from Reflectt Cloud
If you’ve never stored provider keys in Reflectt Cloud, you can ignore this advisory.
What to rotate
OPENAI_API_KEYANTHROPIC_API_KEY
Step 1 — Rotate at your provider
OpenAI
- Go to your OpenAI API Keys page
- Create a new key
- (Recommended) Delete the old key once you’ve confirmed everything works
Anthropic
- Go to your Anthropic API Keys page
- Create a new key
- (Recommended) Delete the old key once you’ve confirmed everything works
Step 2 — Update keys in Reflectt Cloud
- Open the setup wizard: app.reflectt.ai → Onboard
- Paste the new key(s)
- Save
If you use OAuth-based provider auth in the wizard, re-authorize the provider.
Step 3 — Confirm your hosts still work
After updating keys:
- Check Hosts in the dashboard: they should be online and syncing
- Trigger a small task and confirm agents can still call your provider
If a host is offline or failing to fetch secrets, reconnect it (or re-provision if necessary).
Need help?
If you want help validating that rotation was successful, contact support via the Help page in the app.