T8. Leaked a secret
What this page helps you do
Respond quickly when a secret is exposed.
Why it matters
A leaked secret is an active risk, not a documentation cleanup task.
You should already have
- reason to believe a secret was exposed
Skip this page if
- no secret was exposed and you are only trying to prevent future leaks
What to do
- rotate the secret
- update the app with the new value
- remove old references from docs and config
- review logs and usage if the provider supports it
Recommended default
Treat all exposed secrets as compromised unless you can prove otherwise.
Common mistakes
- only deleting the secret from the latest file
- leaving the old secret active
- forgetting CI, screenshots, or chat history
Next step
Go to R2. Secrets.
Related pages
Advanced notes
TODO for contributors: add a short “first 15 minutes after a leak” checklist.