Docs/Reference/Credential Rotation

Credential Rotation

The Tawa platform enforces automatic credential rotation every 30 days as a compliance requirement. Database credentials are regenerated and services are redeployed with zero downtime.

Overview

Every service with database credentials gets a 30-day rotation cycle. When the cycle expires, credentials are regenerated and the service is redeployed with fresh credentials — no action required from developers.

This is automatic. You don't need to configure anything. Credential rotation activates on your first deploy and runs continuously as long as your service is deployed.

How It Works

  1. When you deploy a service, the builder stamps a rotation clock: lastRotatedAt (now) and nextRotationAt (now + 30 days)
  2. The rotation scheduler checks all services every hour for approaching expirations
  3. At 7 days out: you receive a warning email
  4. At 3 days out: you receive an imminent-rotation email
  5. At 0 days (expiration): the platform triggers an automatic redeploy with fresh credentials
  6. After rotation: you receive a confirmation email and the clock resets to 30 days

Rotation Clock

Every deploy resets the rotation clock. If you deploy regularly (e.g., weekly), you'll never hit automatic rotation — each deploy starts a fresh 30-day window.

FieldDescription
lastRotatedAtWhen credentials were last rotated (any deploy resets this)
nextRotationAtWhen the next automatic rotation will occur
rotationPolicyauto (default) or manual
rotationHistoryAudit trail of the last 50 rotation events

Trigger Types

TriggerCause
deployNormal deploy via tawa deploy
auto-rotationAutomatic rotation triggered by the scheduler at day 30
manual-refreshManual refresh via the console "Refresh Now" button

Email Notifications

WhenEmailAction needed
7 days before rotationRotation warningOptional — deploy or click "Refresh Now" to reset the clock
3 days before rotationImminent rotationOptional — same, or let auto-rotation handle it
Rotation completeRotation confirmationNone — credentials rotated, service redeployed

Emails go to the service creator's email address.

Zero-Downtime Rotation

All rotations use Kubernetes rolling updates:

  1. A new pod starts with fresh credentials (maxSurge: 1)
  2. The new pod passes health checks
  3. The old pod is terminated (maxUnavailable: 0)

Your service is never fully down during rotation. The rolling update ensures there is always at least one healthy pod serving traffic.

Manual Refresh

To reset the rotation clock without waiting for the scheduler:

  1. Go to the Developer Console → your service → Credentials
  2. Click Refresh Now

Or trigger via deploy — any tawa deploy resets the clock.

Key Facts

  • Services without databases are not subject to credential rotation
  • Rotation only affects database credentials (MONGODB_URI, REDIS_URL, NEO4J_URI) — not OAuth credentials (BIO_CLIENT_ID, BIO_CLIENT_SECRET), which have their own rotation schedule
  • The rotationPolicy: manual setting disables automatic rotation but email warnings still fire
  • Rotation history is kept for compliance audits — the last 50 events are available in the console

Last updated: February 28, 2026