Credential Rotation

The Tawa platform enforces automatic credential rotation every 30 days as a compliance requirement. Database credentials are regenerated and services are redeployed with zero downtime.

Overview

As an insurance platform, Tawa enforces security compliance automatically. Every service with database credentials gets a 30-day rotation cycle. When the cycle expires, credentials are regenerated and the service is redeployed with fresh credentials — no action required from developers.

This is automatic. You don't need to configure anything. Credential rotation activates on your first deploy and runs continuously as long as your service is deployed.

How it works

When you deploy a service, the builder stamps a rotation clock on it: lastRotatedAt (now) and nextRotationAt (now + 30 days)
The rotation scheduler checks all services every hour for approaching expirations
At 7 days out: you receive a warning email
At 3 days out: you receive an imminent-rotation email
At 0 days (expiration): the platform triggers an automatic redeploy with fresh credentials
After rotation: you receive a confirmation email and the clock resets to 30 days

Rotation clock

Every deploy resets the rotation clock. This means if you deploy regularly (e.g., weekly), you'll never hit the automatic rotation — each deploy starts a fresh 30-day window.

The clock tracks:

Field	Description
`lastRotatedAt`	When credentials were last rotated (any deploy resets this)
`nextRotationAt`	When the next automatic rotation will occur (30 days from last rotation)
`rotationPolicy`	`auto` (default) or `manual` — auto-rotation only triggers for `auto` policy
`rotationHistory`	Audit trail of the last 50 rotation events with trigger type and build ID

Trigger types

Trigger	Cause
`deploy`	Normal deploy via `tawa deploy`
`auto-rotation`	Automatic rotation triggered by the scheduler at day 30
`manual-refresh`	Manual refresh via the console “Refresh Now” button or API

Email notifications

The platform sends email notifications at key points in the rotation cycle. Emails are sent once per cycle (deduplication prevents repeated emails for the same rotation window).

When	Email	Action needed
7 days before rotation	Rotation warning	Optional — deploy or click “Refresh Now” to reset the clock
3 days before rotation	Imminent rotation	Optional — same as above, or let auto-rotation handle it
Rotation complete	Rotation confirmation	None — credentials have been rotated and service redeployed

Emails are sent to the service creator's email address. If no email is on file, they fall back to admin@<org>.io.

Zero-downtime rotation

All rotations (automatic and manual) use Kubernetes rolling updates to ensure zero downtime:

A new pod is started with fresh credentials (maxSurge: 1)
The new pod passes health checks and begins serving traffic
The old pod is terminated (maxUnavailable: 0)

This means your service has two pods running for approximately 2-3 minutes during the rotation. There is no downtime and no dropped requests.

Rolling updates are always enabled. Every deploy (not just rotations) uses maxSurge: 1 and maxUnavailable: 0 by default. Your users will never experience downtime during a deploy.

Manual refresh

You can manually refresh credentials at any time, which resets the 30-day clock:

Via the console

Navigate to your service in the console. Scroll to the Credential Rotation section and click Refresh Now. This triggers a redeploy at the current commit with fresh credentials.

Via the API

# Manual credential refresh
POST /services/:name/rotation/refresh

# Optional: target a specific environment
{
  "environment": "prod"  // or "sandbox", "uat", "dev"
}

The API returns a 202 Accepted with a buildId you can use to track the redeploy.

Viewing rotation status

# Get rotation status for a service
GET /services/:name/rotation

# Response:
{
  "rotation": {
    "lastRotatedAt": "2026-02-17T12:00:00Z",
    "nextRotationAt": "2026-03-19T12:00:00Z",
    "rotationPolicy": "auto",
    "rotationHistory": [
      {
        "rotatedAt": "2026-02-17T12:00:00Z",
        "trigger": "deploy",
        "environment": "prod",
        "buildId": "abc12345-..."
      }
    ]
  }
}

Compliance dashboard

The Compliance page in the console shows all services approaching rotation:

Compliant (green) — more than 7 days remaining
Expiring (yellow) — 3 to 7 days remaining
Critical / Overdue (red) — 3 days or fewer, or past due

Each service shows a progress bar indicating how far through the 30-day cycle it is. Super admins see all services across all orgs; regular users see only their own org's services.

Compliance fee

Each automatic credential rotation incurs a flat compliance fee of 1,500 gas tokens ($15 USD) per service. This fee is charged to the org's wallet when the auto-rotation triggers.

Event	Fee
Auto-rotation (scheduler)	1,500 tokens
Manual refresh (console button)	No fee
Normal deploy (`tawa deploy`)	No rotation fee (standard hosting gas applies)

Avoid the fee: Deploy or manually refresh before the 30-day window expires. Regular deploys reset the clock at no extra cost. The compliance fee only applies when the platform has to auto-rotate for you.

FAQ

Do I need to change my code?

No. Credential rotation is entirely platform-managed. Your app reads process.env.MONGODB_URI (or REDIS_URL, NEO4J_URI) on startup. When credentials rotate, your pod restarts with new env vars automatically.

What if I deploy every week?

Each deploy resets the 30-day clock. If you deploy at least once every 30 days, automatic rotation will never trigger and you'll never be charged the compliance fee.

What if the auto-rotation build fails?

The scheduler has a safety check: if the last 3 builds for a service all failed, it skips auto-rotation and logs a warning. This prevents a broken service from getting stuck in a rotation loop. Fix the underlying issue and deploy manually to resume the cycle.

Can I disable automatic rotation?

Rotation policy can be set to manual instead of auto, which disables the scheduler for that service. However, this is not recommended — manual-policy services still show the rotation clock, but the platform won't auto-redeploy when it expires. You are responsible for rotating credentials yourself.

Does rotation affect my data?

No. Rotation only changes the credentials used to connect to your database. The data itself is untouched. The old credentials are invalidated and new ones are generated.

How does zero-downtime work with a single replica?

Even with one replica, Kubernetes temporarily runs two pods during rolling updates (maxSurge: 1). The new pod starts, passes its health check, and begins receiving traffic before the old pod is terminated. The extra pod only exists for 2-3 minutes.

Is there an API to check rotation status?

Yes. GET /services/:name/rotation returns the full rotation state. GET /rotation/upcoming returns all services approaching rotation within 14 days (org-scoped).

Databases — how database provisioning works
Gas & Wallets — token economics and the compliance fee
Config & Secrets — managing secrets and environment variables