Rotating API Keys¶
Regular API key rotation is a security best practice. This guide shows you how to safely rotate your WhisperHedge API keys without disrupting position tracking.
Why Rotate Keys?¶
Security Benefits¶
Limit Exposure Window
Even if a key is compromised, regular rotation limits the time an attacker can use it.
Detect Breaches
If old keys continue to be used after rotation, you know there's unauthorized access.
Compliance
Many security standards require periodic key rotation.
Fresh Start
Rotating keys ensures clean separation between time periods for auditing.
Rotation Schedule¶
Recommended Frequency¶
High-Value Positions: - Rotate every 1-3 months - More frequent if handling large amounts - After any security concern
Medium-Value Positions: - Rotate every 3-6 months - Standard security practice - Balances security and convenience
Low-Value Positions: - Rotate every 6-12 months - Minimum recommended frequency - Still important for security
Triggers for Immediate Rotation¶
Rotate immediately if:
- 🚨 Suspected key compromise
- 🚨 Employee/team member leaves
- 🚨 Security breach at platform
- 🚨 Key accidentally exposed (git, email, etc.)
- 🚨 Unusual activity detected
- 🚨 Platform recommends rotation
Rotation Process¶
Step-by-Step Guide¶
Step 1: Create New API Key¶
- Log into your trading platform (e.g., Hyperliquid)
- Navigate to API key management
- Create a new API key with:
- Read-only permissions
- Same subaccount as old key
- Descriptive name (include date)
- Save the new key and secret securely
Example naming:
Step 2: Update WhisperHedge¶
- Go to WhisperHedge dashboard
- Find the position using the old key
- Click "Edit" or "Update API Key"
- Enter the new API key and secret
- Click "Verify" to test the connection
- Save the changes
Test First
Always verify the new key works before deleting the old one.
Step 3: Verify New Key Works¶
- Check that position data loads
- Manually refresh the position
- Verify all metrics display correctly
- Wait 5-10 minutes for full sync
Step 4: Delete Old Key¶
- Return to your trading platform
- Find the old API key
- Delete or revoke it
- Confirm deletion
Don't Delete Too Soon
Wait until you've confirmed the new key works before deleting the old one.
Step 5: Update Records¶
- Update your password manager
- Note rotation date in your records
- Set reminder for next rotation
- Document any issues encountered
Quick Rotation Checklist¶
- [ ] Create new API key (read-only)
- [ ] Save new key securely
- [ ] Update key in WhisperHedge
- [ ] Verify position data loads
- [ ] Test manual refresh
- [ ] Wait 5-10 minutes
- [ ] Delete old key from platform
- [ ] Update password manager
- [ ] Record rotation date
- [ ] Set next rotation reminder
Rotation Strategies¶
Staggered Rotation¶
If you have multiple positions, don't rotate all keys at once:
Week 1: Rotate positions 1-3
Week 2: Rotate positions 4-6
Week 3: Rotate positions 7-9
Benefits: - Reduces workload - Easier to troubleshoot issues - Less disruptive - Spreads out risk
Batch Rotation¶
Rotate all keys at once:
Benefits: - Gets it done quickly - Consistent rotation dates - Easier to remember
Drawbacks: - More time-consuming - Higher risk of errors - All positions affected if issues
Event-Based Rotation¶
Rotate keys when specific events occur:
- Platform security update
- Quarterly security review
- Team member changes
- After travel/conferences
- Regulatory audit
Automation & Reminders¶
Calendar Reminders¶
Set recurring calendar events:
Every 3 months:
"Rotate WhisperHedge API Keys - Positions 1-5"
Every 6 months:
"Rotate WhisperHedge API Keys - All Positions"
Password Manager¶
Many password managers support: - Expiration dates on entries - Automatic rotation reminders - Audit logs - Security scores
Spreadsheet Tracking¶
Track rotation in a spreadsheet:
| Position | Current Key | Created | Last Rotated | Next Rotation |
|---|---|---|---|---|
| ETH/USDC | WH-ETH-04 | 2024-04-01 | 2024-04-01 | 2024-07-01 |
| BTC/USDC | WH-BTC-03 | 2024-03-15 | 2024-03-15 | 2024-06-15 |
Troubleshooting Rotation¶
New Key Not Working¶
Symptoms: - "Invalid API Key" error - Position not updating - Permission denied
Solutions: 1. Verify key was copied correctly (no spaces) 2. Check permissions are read-only 3. Confirm correct subaccount 4. Try regenerating the key 5. Revert to old key temporarily
Position Data Lost¶
Symptoms: - Historical data missing - Metrics reset to zero - Charts empty
Solutions: 1. Wait 10-15 minutes for resync 2. Manually refresh position 3. Check if position ID changed 4. Contact support if persists
Old Key Still Active¶
Symptoms: - Old key works after deletion - Platform shows key as active
Solutions: 1. Verify deletion in platform 2. Clear browser cache 3. Log out and back in 4. Check if key was actually deleted
Best Practices¶
Before Rotation¶
- ✅ Choose low-activity time
- ✅ Have new key ready
- ✅ Backup current configuration
- ✅ Notify team if applicable
During Rotation¶
- ✅ Test new key thoroughly
- ✅ Keep old key active until verified
- ✅ Document any issues
- ✅ Update one position at a time
After Rotation¶
- ✅ Verify all positions working
- ✅ Delete old keys promptly
- ✅ Update documentation
- ✅ Set next rotation reminder
Emergency Rotation¶
Suspected Compromise¶
If you suspect a key is compromised:
- Immediately delete the key from platform
- Create new key
- Update WhisperHedge
- Review platform security logs
- Check for unauthorized activity
- Change password if needed
- Enable 2FA if not already active
Mass Rotation¶
If you need to rotate all keys urgently:
- Prioritize by position value (high to low)
- Batch process in groups of 3-5
- Verify each batch before continuing
- Document any issues
- Review security logs after completion
Rotation Records¶
What to Track¶
Keep records of: - Key creation dates - Rotation dates - Reason for rotation - Any issues encountered - Time taken - Platform used
Sample Record¶
Position: ETH/USDC HLP
Old Key: WH-ETH-2024-01
New Key: WH-ETH-2024-04
Rotation Date: 2024-04-01
Reason: Scheduled quarterly rotation
Issues: None
Time Taken: 5 minutes
Next Rotation: 2024-07-01
Multiple Position Rotation¶
Efficient Process¶
For rotating 10+ positions:
- Prepare: Create all new keys first
- Organize: List positions by priority
- Execute: Update 3-5 at a time
- Verify: Test each batch
- Clean up: Delete old keys in batches
- Document: Record all changes
Time Estimates¶
- Single position: 5-10 minutes
- 5 positions: 30-45 minutes
- 10 positions: 1-1.5 hours
- 20+ positions: 2-3 hours
Related Topics¶
- Hyperliquid API Keys - Creating new keys
- One Key Per Position - Why separate keys
- API Key Security - Security best practices
- Troubleshooting - Fix common issues