Whether the last developer left on good terms, vanished mid-project, or is handing over to a new team, the takeover process is the same: transfer every account, rotate every secret the same day, prove you can build and deploy without them, audit the licences, and write down what you learn while it is still fresh. This is the runbook we use on every rescue engagement — it works whoever you hire next, including nobody.
A safe developer handover has five stages, in this order. (1) Transfer ownership — not just access — of every account: repositories, CI/CD, cloud console, domain, DNS, database, error tracking and analytics. (2) The day the old developer loses access, rotate every secret they ever held: API keys, database passwords, deploy keys, OAuth secrets, webhook signing secrets. (3) Run an orientation pass: clean-machine install, environment reproduction, test suite, and map what is deployed against what is in the repository. (4) Audit licences and dependencies for copyleft, unlicensed snippets and expiring API plans. (5) Write down everything you learned in week one, because that is when documentation debt is cheapest to pay. If the old developer is unreachable or hostile, skip to the recovery section below.
The single most common handover mistake: accepting collaborator access to a repository the old developer still owns. Collaborators can be removed in one click; owners cannot. The test for every item below is not "can I log in?" but "can anyone else lock me out?"
Procedures last verified July 2026
| Asset | What "done" looks like | Common trap |
|---|---|---|
| Source repositories | Full ownership transfer into a GitHub/GitLab organisation you own (GitHub: Settings → Danger Zone → Transfer ownership). History, issues and releases come with it. | Being added as a collaborator, or receiving a zip of the code with no git history. |
| Org & team accounts | Your own organisation, with billing in your company's name and you as the sole org owner. The old developer becomes an outside collaborator you can remove. | The "company" org was actually the freelancer's personal org all along. |
| CI/CD | Pipeline accounts (and their stored environment secrets) under your ownership; deploy targets re-pointed at credentials you issued. | Builds keep passing because they still deploy with the old developer's personal token — until it expires. |
| Cloud console | The root/owner account on your email with billing on your card; the old developer reduced to a revocable role, then removed. | You have an admin user inside an account they own — they can still close the whole account. |
| Domain & DNS | Registrant transfer of the domain to your registrar account; the DNS zone hosted under your account. | The domain is the business. If only one item on this table gets done, make it this one. |
| Database | Hosting account in your name, superuser credentials you set yourself, and a backup you have personally restored once. | Backups that were never tested, or that write to storage the old developer owns. |
| Error tracking & logs | Project ownership transferred; alert emails re-pointed at your inbox. | Errors have been silently emailing a departed person for months. |
| Analytics | Property ownership (not just viewer access) under your account. | Years of traffic history stranded in an account you cannot access. |
| App store accounts | Apps transferred to your own Apple Developer and Google Play accounts. | The app listing — reviews, install base and all — lives in the freelancer's personal account. |
Do this stage while the old developer is still cooperative and still being paid. Goodwill is an expiring asset; account transfers that take five minutes today can take months once the person has moved on.
This is not an accusation — it is hygiene. Every credential the old developer used now exists on hardware you don't control: laptops, old .env files, shell history, password managers. Rotation is also the only remedy for secrets committed to git at any point: deleting them from the current code does not delete them from history.
| Secret | Why it must rotate |
|---|---|
| Third-party API keys (payments, email, maps, LLM providers) | Anyone holding an old key can run up charges on your bill or, worse, read the customer data those APIs expose. Payment provider keys are the priority — rotate live keys before test keys. |
| Database passwords & connection strings | A connection string is direct read/write access to production data, bypassing the application and every rule in it. Rotate the password and restrict network access to known hosts at the same time. |
| Deploy keys & SSH keys | Removing someone's account does not remove their key from authorized_keys on the server or from the repo's deploy-key list. Audit both lists and remove anything you did not issue. |
| OAuth client secrets | A leaked client secret lets someone mint tokens that impersonate your application to Google, Apple or any other identity provider — invisible in your own logs. |
| Webhook signing secrets | Whoever holds the signing secret can forge events your app trusts — a fabricated "payment succeeded" webhook is the classic abuse. Rotate at the provider and update your app in the same deploy. |
| Cloud IAM users, tokens & service accounts | Long-lived access keys survive the person leaving. List every IAM user and access key, delete the ones tied to the old developer, and check audit logs for keys you cannot attribute. |
| CI/CD environment variables | Pipelines cache copies of many of the secrets above. Rotate the sources first, then update the pipeline copies — otherwise the next build quietly deploys with dead credentials. |
Sequence matters: revoke account access first, rotate the same day, then scan git history for hardcoded secrets (tools like gitleaks or trufflehog automate this) so you know which keys were exposed the longest.
A repository you cannot turn into a running application is an archive, not a handover. The orientation pass answers one question: could a competent engineer who has never seen this project get it live from what exists today? Run it on a clean machine — a fresh VM or container, not the laptop that already has everything installed — because the clean machine is where the undocumented steps surface.
The final step is the one most people skip: map the deployed version against the repository HEAD. Diff what is actually running in production against the latest commit. Hotfixes applied directly on the server and never committed are extremely common at the end of a strained engagement, and they vanish on your first deploy if you don't capture them now.
.env.example admits toInherited code carries inherited obligations. An hour with a licence scanner now is cheaper than discovering any of these after launch:
npm audit, pip-audit, composer audit) and triage known vulnerabilities by exploitability, not raw count.Week one is the only time you experience the project as an outsider — every confusing thing you hit is a documentation gap the next person will hit too. After a month you will have internalised the quirks and stopped seeing them. Capture them now, cheaply, in plain text files in the repository where they cannot be lost with an account.
None of this needs to be polished. A dated bullet list beats a beautiful wiki that never gets written.
Everything above assumes a cooperating counterpart. If the old developer has gone silent, is withholding access, or is demanding unagreed payment for the handover, change footing:
We've written a dedicated guide for the abandonment case — what to do when a freelancer abandons your project — and if you want a team to run the recovery, the takeover and the stabilisation as one engagement, that is exactly what our app rescue service is for.
Book a free 30-minute call with a senior engineer — in your business hours. We'll walk through this checklist against your actual project: what to transfer, what to rotate first, and whether the code you're inheriting is worth keeping.
Book a free scoping call →