Pre-termination checklist
Before terminating, complete these steps to avoid leaving orphaned resources and leaked credentials:- Export any data you need — session transcripts, configs, files. Termination is irreversible.
- Note your attached storage — Identify any block volumes, snapshots, or object storage buckets associated with the instance. You’ll delete these separately after termination.
- Identify connected accounts — List every OAuth token or API key the agent had access to. You’ll revoke and rotate these after termination.
Select your cloud provider
AWS EC2
Amazon Web Services
Google Cloud
Compute Engine
DigitalOcean
Droplets
Oracle Cloud
OCI Compute Instances
Tencent Cloud
Cloud Virtual Machine (CVM)
Alibaba Cloud
Elastic Compute Service (ECS)
Baidu Cloud
Baidu Cloud Compute (BCC)
Hetzner
Hetzner Cloud Servers
Kamatera
Kamatera Cloud Servers
Post-termination checklist
After the instance is gone, complete these steps. Skipping them leaves credentials live that could still be used against your accounts.Rotate all secrets
For every credential the agent had access to:| Credential type | How to rotate |
|---|---|
| LLM API keys (OpenAI, Anthropic, Google) | Revoke in the provider’s API keys dashboard and generate a new key |
| Gateway token | Already gone with the instance — no action needed |
| OAuth tokens (Gmail, Slack, GitHub, etc.) | Revoke in each service’s “Connected Apps” or “Authorized OAuth Apps” settings |
| SSH keys | Remove the public key from ~/.ssh/authorized_keys on any other servers it had access to. Generate a new keypair. |
Delete associated storage
Cloud providers don’t always delete attached block volumes when an instance is terminated. Check for and delete:- Block volumes / EBS volumes — Unattached volumes continue to incur charges and retain your data
- Snapshots — Manual or automated snapshots of the instance disk
- Object storage buckets — S3, GCS, or equivalent buckets the instance had access to