Best practices for API key rotation in production?

We're running OpenAI API calls in a production microservices architecture and need to implement key rotation. Currently we have a single API key hardcoded in our config (I know, I know).

What are the best practices here?

• Do you use a secrets manager (Vault, AWS Secrets Manager)?
• How do you handle the transition period when rotating keys?
• Does OpenAI support multiple active keys per project?
• Any recommended rotation frequency?

Our stack is Kubernetes with Node.js services. Would love to hear how others handle this.