Skip to main content
Docs

Rotate your Clerk API keys

Common reasons to rotate a key include a leaked .env file, a security incident at a third-party service, or a departing team member. This page covers how to rotate your and explains which other Clerk credentials do or don't need rotation.

Which keys to rotate

Not every Clerk credential is a secret, and not all of them are rotated the same way:

  • (pk_live_* / pk_test_*): Safe to expose on the frontend. You don't need to rotate it if it's committed to a repository or otherwise made public.
  • (sk_live_* / sk_test_*): Must be kept private. If it's exposed, rotate it using the steps below.
  • Webhook signing secret (whsec_*): Managed separately from Clerk's API keys on the Webhooks page in the Clerk Dashboard.

Rotate your Secret Key

Clerk supports multiple active Secret Keys on the same instance, which lets you roll keys with zero downtime. The process is to add a new key, deploy your application with it, and then delete the old one.

Warning

Don't delete the old Secret Key until your application has been redeployed and verified with the new key. Removing a key that's still in use will break authentication in your app.

  1. At the top left of the Clerk Dashboard, select the app and environment (e.g., Development or Production) you want to rotate keys for.
  2. In the sidenav, navigate to the API keys page.
  3. Under Secret keys, select + Add new key. Give the new key a descriptive name (e.g., rotated-2026-04-19) and create it.
  4. Copy the new key value.
  5. Update the CLERK_SECRET_KEY environment variable everywhere it's set — your local .env file, your hosting provider (Vercel, Netlify, AWS, etc.), your CI/CD pipelines, and anywhere else the key is referenced.
  6. Redeploy your app so the new key takes effect.
  7. Verify that your app works as expected with the new key. Exercise any flow that calls Clerk's Backend API — for example, server-side routes that use clerkClient, auth middleware, and admin scripts that create, update, or delete users.
  8. Return to the API keys page, find the old (compromised) key under Secret keys, and delete it.

Important

Nuxt uses NUXT_CLERK_SECRET_KEY instead of CLERK_SECRET_KEY.

After you delete the old key, any request to Clerk's Backend API that still uses it will fail.

Rotate across environments and applications

Each Clerk app and environment combination has its own set of API keys. If you need to rotate keys in more than one place, repeat the steps above for each one:

  • Development and Production instances are independent. Rotating your Production Secret Key doesn't affect your Development Secret Key, and vice versa. Use the app and environment selectors at the top left of the Clerk Dashboard to switch between them.
  • Separate applications have separate keys. If you maintain multiple Clerk applications, each has its own Secret Key and must be rotated independently.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub