I Accidentally Pasted a Password or API Key — What to Do Next

Take a breath. This happens to senior engineers, security people, and everyone in between. Below is the calm, step-by-step playbook for the next sixty seconds, the next hour, and the next time it almost happens. The first rule of secret leaks: assume it is exposed. Do not negotiate with yourself about whether it really counts. Treat the credential as compromised, rotate it, and then deal with the surface it leaked to. The 60-second triage Stop typing in that window. Whatever you were doing — sending a message, hitting Save, pushing a commit — pause it. Do not make the mistake worse by also sending the next message that references it. Open the service the credential belongs to in another tab. GitHub, AWS, your cloud provider, your password manager — go to the page where you can revoke or rotate that specific credential. Rotate or revoke the credential. Generate a new one and disable the old one. This is the single highest-leverage action you can take. Everything else is optional once th