Rotate All Exposed Credentials from Downloads Consolidation
Rotate All Exposed Credentials
Severity: CRITICAL Discovery: 2026-03-10 (initial), 2026-03-28 (additional Clerk/Notion/Railway found)
Credentials were found in plaintext Downloads files and moved to Pictures/secrets/
but have NOT been rotated. The old values remain valid until manually revoked.
Checklist
Priority 1 — Production keys (immediate)
-
[ ] Clerk — Rotate
sk_live_*,sk_test_*, publishable keys, webhook signing secret- Dashboard: https://dashboard.clerk.com → API Keys
- Update: Vercel env vars,
.env.local, GitHub secrets - Revoke old keys
-
[ ] Vercel — Rotate
vca_*token and project ID secret- Dashboard: https://vercel.com/account/tokens
- Update: GitHub Actions
VERCEL_TOKENsecret
-
[ ] GitHub PAT — Revoke exposed
ghp_cr4c624xXbIVmj*token- Dashboard: https://github.com/settings/tokens
- Current auth uses OAuth (
gho_*), so the PAT is redundant — delete it
Priority 2 — API keys (within 48 hours)
-
[ ] Pinecone — Rotate
pcsk_*API key- Dashboard: https://app.pinecone.io → API Keys
- Update: Vercel env vars
-
[ ] Notion — Rotate
ntn_*internal integration token- Dashboard: https://www.notion.so/my-integrations
- Update: Vercel, GitHub Actions, local env
-
[ ] NPM — Rotate
npm_*automation token- Dashboard: https://www.npmjs.com/settings/~/tokens
- Update: GitHub Actions
NPM_TOKENsecret
Priority 3 — Secondary services (within 1 week)
-
[ ] Railway — Rotate exposed railway tokens
- Dashboard: https://railway.app/account/tokens
-
[ ] AWS Bedrock — Rotate long-term API key from CSV
- Dashboard: https://console.aws.amazon.com/iam → Security credentials
Post-Rotation Verification
- [ ] Run Morphism deployment to verify Clerk/Vercel integration
- [ ] Run CI pipeline to verify GitHub Actions secrets
- [ ] Test Notion sync to verify token works
- [ ] Delete plaintext files from
Pictures/secrets/after rotation
Reference
Full rotation guide with exact commands: Pictures/secrets/URGENT-SECRET-ROTATION.md