Automating API Key Rotation Workflows with n8n and Vault

Hardcoding API keys inside code repos or environment variables is a major security risk. To comply with modern security standards (like SOC2 or ISO 27001), API credentials must be rotated periodically. This guide covers how to build a self-healing key rotation pipeline using n8n and HashiCorp Vault.

1. The Key Rotation Lifecycle

An automated credential rotation flow requires four distinct steps:

1. Generate: Create a new secure secret or token on the target SaaS service (e.g. AWS IAM, Stripe, or GitHub).
2. Store: Write the new credential value into your secret manager (e.g. HashiCorp Vault or AWS Secrets Manager).
3. Test: Verify that the new credentials function correctly by calling a simple endpoint.
4. Revoke: Invalidate and delete the old credential key, rendering it useless.

2. Building the Trigger Schedule

Use the n8n **Cron Node** to schedule the workflow execution. For production API keys, rotating keys every 30 to 90 days is recommended. Set the trigger to run on the first day of every month at midnight.

3. Integrating with HashiCorp Vault API

n8n doesn't have a native Vault node, but you can interact with it seamlessly using the **HTTP Request** node. Set the credentials using token authentication and target your KV (Key-Value) engine endpoint:

# Method: POST
# URL: https://vault.mycompany.com/v1/secret/data/production/api-keys
# Header: X-Vault-Token: {{ $credentials.vault_token }}
# JSON Body:
{
  "data": {
    "stripe_api_key": "{{ $json.new_key }}",
    "rotated_at": "{{ $now.toString() }}"
  }
}

4. Handling Rollback on Verification Failure

If the verification step (Step 3) fails due to networking anomalies or API restrictions, the workflow must not revoke the old key. Use the n8n **If Node** to check response status codes. If validation fails, trigger an urgent Slack notification to the DevOps team, leaving the active older credential intact until manual intervention.