diff --git a/content/en/account_management/api-app-keys.md b/content/en/account_management/api-app-keys.md
index 37a6c9d2ec8..2e4cbfb56a1 100644
--- a/content/en/account_management/api-app-keys.md
+++ b/content/en/account_management/api-app-keys.md
@@ -108,6 +108,8 @@ To add a Datadog application key, navigate to [**Organization Settings** > **App
If your organization has One-Time Read (OTR) mode enabled, make sure to securely store your application key immediately after creation, as the key secret cannot be retrieved later.
{{< /site-region >}}
+Because API keys and application keys are long-lived and have no built-in expiration, store them in a secrets manager, such as AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault, instead of in source code or environment files. AWS Secrets Manager supports [managed rotation for Datadog API keys and application keys][24].
+
**Notes:**
- Application key names cannot be blank.
@@ -200,3 +202,4 @@ Need help? Contact [Datadog support][19].
[21]: /api/latest/action-connection/#register-a-new-app-key
[22]: /account_management/audit_trail/#setup
[23]: /account_management/rbac/permissions/#compliance
+[24]: https://aws.amazon.com/about-aws/whats-new/2026/05/secrets-manager-managed-external-secrets-datadog-snowflake/
diff --git a/content/en/account_management/service-access-tokens.md b/content/en/account_management/service-access-tokens.md
index 57dd7d6638f..39d82be8d32 100644
--- a/content/en/account_management/service-access-tokens.md
+++ b/content/en/account_management/service-access-tokens.md
@@ -60,6 +60,11 @@ Copy and store it securely. You cannot retrieve it later.
After you save, a details panel displays the token secret, name, Token ID, owner, owner roles,
expiration date, and scopes.
+If you configure a SAT with a long expiration or select **Never**, store the secret in a secrets
+manager, such as AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault, instead of in source
+code or environment files. AWS Secrets Manager supports [managed rotation for Datadog service
+account credentials][8].
+
## Use a Service Access Token
SATs support two authentication methods.
@@ -161,3 +166,4 @@ GET /api/v2/personal_access_tokens
[5]: /account_management/rbac/permissions/
[6]: /account_management/audit_trail/
[7]: https://app.datadoghq.com/audit-trail
+[8]: https://aws.amazon.com/about-aws/whats-new/2026/05/secrets-manager-managed-external-secrets-datadog-snowflake/