SOP: Managing API Keys & Security

Purpose

Standardize the handling of sensitive credentials to prevent leaks and unauthorized access.

Never share API keys via Slack, Email, or unclear text.

Always use a password manager (1Password / Vault) to share keys with the team.

CMS Storage: The CMS encrypts keys at rest. Trust the system storage rather than keeping local text files.

API Keys should be rotated (regenerated) periodically or immediately if a staff member with access leaves.

Generate New Key: Go to the provider (e.g., OpenAI) and generate a new key.

Update CMS: Go to /cms/apps > Select App > Configure > Paste New Key > Save.

Test: Verify functionality.

Revoke Old Key: Go back to the provider and delete the old key.