If I want, I will leave myself the entrance to the server, and it will be oh so difficult to find it.
It is necessary not to lead to such situations, since without experience it is unrealistic to find all the loopholes.

> 1. Keys for authorization via ssh. There is a standard location, and if there is nothing dangerous there, then where else can the key lie?
What if there is a piece of the download key in the code? Moreover, only on the full moon on September 8 and if the weather over Madagascar is flying.
Commandment number one: "Trust the doer."
If you do not trust the performer, then do not work with him.

I'm not a developer, so I would recommend an easier way).
Well, if I was faced with such a task, then I would solve it like this).
If you know the contacts of all the developers who had access, you can send them a message in the following format:
- Save the guys, I'm on vacation, I can't connect to the server at arm's length, I can't access the server, the passwords are on the USB flash drive at home, your access has been lost. And there everything is gone, I will not remain in debt. Any ideas?
You can even stop something that is not critical for a while.
If someone has hidden access, he will help for the promised reward. And then you decide what to do with it and how to act.
But it is better to trust the developers and not throw them for money if the work and agreements have been completed.
Approximately such a message, as described above, was received by my friend, but no one closed access to him, as it turned out, within two years after the work was completed, he helped and then received a bottle of good cognac.