Secret Rotation: When and How to Reset Your AI Agent's Security Baseline
Moved offices? Switched ISPs? Your agent's requests may start getting blocked. Secret rotation resets the Security Baseline — here's when to do it and exactly how.
Every Stow agent has a Security Baseline — a network fingerprint captured on first connection. When your network context changes significantly, your agent's requests may start deviating from that baseline, triggering risk score elevation or outright blocks. Secret rotation is the mechanism that resets the baseline when your legitimate context changes.
What a Security Baseline Is
On first connection, the Stow Risk Engine records three network signals from your agent:
IP Address
Your external IP at first connection time.
ASN / ISP
Your internet provider's Autonomous System Number.
Geographic Region
Country and region derived from the network.
These signals become the reference point. Every subsequent request is compared against them. Deviation elevates risk scores; significant deviation blocks requests entirely.
When Your Baseline Becomes Stale
Moved to a new office or home
New IP, possibly new ISP. Baseline deviation on every request until rotated.
Switched internet service provider
ASN changes are a strong signal. Elevated risk scores or blocks.
Started using a work VPN
VPN exit nodes often appear as data center IPs — very different from your home ISP's range.
Traveling internationally
Country-level deviation triggers immediate blocks. Rotate before you travel if you need access on the road.
Changed development machine or container
If your Cursor agent runs in a Docker container or remote VM, its IP differs from your local machine.
Suspect credential compromise
If you think your agent secret may have leaked, rotation invalidates it immediately.
How to Rotate Your Agent Secret
Secret rotation is a two-step process: generate the new secret, then update your agent configuration before the old secret is invalidated.
Rotation Steps
Navigate to AI Agents in your Stow dashboard
Click your agent (e.g., Cursor) to open Agent Configuration
Click New Client Secret — a new secret is generated immediately
Copy the new secret (it's only shown once)
Update your agent config with the new secret BEFORE closing the modal
For Cursor: update the SSE URL in your MCP JSON config file with the new secret
The next connection from your agent establishes the new Security Baseline
Order matters: The old secret becomes invalid the moment you generate the new one. If you close the modal before updating your agent config, your agent will be blocked. Always update the config first, then confirm the rotation is working.
What Happens to Existing Connections
- The old secret is revoked immediately — any active connections using it will fail
- Your permission policies, connected services, and activity logs are unaffected
- The Security Baseline is cleared — the next connection from the new context sets a fresh baseline
- Any pending approval queue items remain pending — rotation doesn't affect them
Verifying the New Baseline
After rotation, test your agent by making a simple request — ask it to list available tools or check a connected service. Then navigate to Activity Logs in the Stow dashboard. You should see:
- A new
executedentry for the test request - Network signals matching your current location
- A normal (low) risk score — the baseline is now established for this network
If the risk score is still elevated after rotation, your current network (VPN, corporate proxy, etc.) may be flagged as unusual. Try the request from your regular network context first, or contact support to review your baseline configuration.
OAuth Agents Don't Need Manual Rotation
Agents that connect via OAuth (Claude Desktop, ChatGPT) don't use a manually managed secret — they use the OAuth flow. If you need to reset the baseline for an OAuth agent, disconnect and reconnect the agent through the OAuth flow. The next connection will establish a new baseline automatically.
Stow Security Team
April 19, 2026