diff --git a/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md b/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md
new file mode 100644
index 0000000..ec8834f
--- /dev/null
+++ b/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md
@@ -0,0 +1 @@
+Fixed the `op item edit` invocation in the [[zot]] API-key rotation procedure: the previous `pbpaste | op item edit ... "field[password]=-"` stdin syntax is rejected by op 2.34 as "invalid JSON" (recent op versions treat piped input as a full JSON template, not a single field value). Procedure now reads the clipboard into a local fish variable and passes it as an inline assignment.
diff --git a/docs/reference/services/zot.md b/docs/reference/services/zot.md
index d00a200..b01a6ce 100644
--- a/docs/reference/services/zot.md
+++ b/docs/reference/services/zot.md
@@ -56,8 +56,9 @@ The `zot-ci` API key expires every **90 days**. To rotate:
 5. Generate a new API key, copy it to clipboard
 6. Update 1Password:
    ```fish
-   pbpaste | op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=-"
+   set -l NEWKEY (pbpaste); op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=$NEWKEY"; set -e NEWKEY
    ```
+   The value is briefly visible to other `ps`-readers on this machine (single-user mac, acceptable tradeoff). The older `pbpaste | op item edit ... "field[password]=-"` stdin syntax was rejected by op 2.34 as "invalid JSON" — recent op versions treat piped input as a full JSON template.
 7. Sync to Forgejo: `mise run provision-indri -- --tags forgejo_actions_secrets`
 
 ## Related