Comment by cortesoft
21 hours ago
rotations are usually two phased. Add new secret/credential to endpoint, and both new and old are active and valid. Release new secret/credential to clients of that endpoint, and wait until you dont see any requests using the old credential.
Then you remove the old credential from the endpoint.
Note that you risk reinfection if the attacker can somehow retain access while you rotate out secrets...