An OpenRouter API key revoke takes thirty seconds. Go to openrouter.ai/keys, find the key you want to invalidate, and click Delete. The key stops working immediately — no propagation delay, no grace window. If the key had a custom name, note it before deleting so you can recreate with the same label and spending cap.
After revocation, open your usage dashboard and filter by the last 24–48 hours. If the key appeared in a public repository or .env file, look for calls to models you do not use or call volumes that do not match your agent activity. Unexpected charges from a scraped key are sometimes recoverable — contact OpenRouter support with your activity log if you see abuse you did not initiate.
When you provision the replacement key, set a monthly credit limit from the start. OpenRouter lets you cap spend per key, which bounds the damage if this happens again. Add the new key to your environment and never commit it — use a secrets manager or environment injection at runtime rather than storing it in project files.
The harder exposure vector is your AI agents themselves. Claude Code, Cursor, and similar tools read your project environment by design, and a compromised prompt or misconfigured tool call can surface a key in agent output without you noticing. AgentGuard360 monitors every AI session for credential patterns and redacts them before the model delivers them as output — the replacement key you just provisioned gets the same protection from day one.
