Why do you rely on apigee on target credentials 🙂 but you should think of onboarding target credentials(for that matter any sensitive credentials which is mandated to be rotate based of compliance needs) into a vault (like cyberark,HashiCorp valut etc & enable alerting mechanism ) which will have a better capabilities .Again this all goes by company security guidelines on keys rotation.If there is an opportunity why not speak to security engineer on enabling such features.

Also have a utility build across kvm so that it is easy to operate across different kvm's to update keys on a event of key rotation(if you are following proper naming standards).

One step further think about two key approach concept at backend -- may be little advanced but having current and previous key to support during the swap/cryptoperiod..Sometimes if backend changes credentials but upstream is still sending old credentials for shorter period because of cache issues or what ever it could be & to avoid failure if backend code honors both key support till certain crypto period this will help reduce failures (also need to consider on previous compromise/deactivated  keys scenarios to be taken care).. I will let reader to be creative on the implementation. Try practice in lower environments & once you have a way you can rotate the keys at will..

Over the concept is to have better alerting using a key vault and not burden/rely on applications..