> ## Documentation Index
> Fetch the complete documentation index at: https://developers.vendaze.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate app credentials

> Issues a new client_secret and immediately invalidates the previous one. The client_id stays the same. Active user tokens are not affected.



## OpenAPI

````yaml /en/api-reference/openapi.json post /v1/auth/rotate-app
openapi: 3.1.0
info:
  title: OAuth 2.1
  description: Endpoints for registering applications and managing OAuth 2.1 tokens.
  version: 1.0.0
  contact:
    name: Vendaze Support
    email: suporte@vendaze.com
servers:
  - url: https://api.vendaze.com
    description: Production
security:
  - bearerAuth: []
tags:
  - name: OAuth
  - name: People
  - name: Companies
  - name: Deals
  - name: Pipelines
  - name: Tasks
  - name: Task Types
  - name: Products
  - name: Tags
  - name: Lists
  - name: Custom Fields
  - name: Webhooks
paths:
  /v1/auth/rotate-app:
    post:
      tags:
        - OAuth
      summary: Rotate app credentials
      description: >-
        Issues a new client_secret and immediately invalidates the previous one.
        The client_id stays the same. Active user tokens are not affected.
      operationId: rotateApp
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RotateAppRequest'
      responses:
        '200':
          description: Credentials rotated successfully. New credentials sent by email.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RotateAppResponse'
        '400':
          description: >-
            Invalid or unparseable JSON body. Error code: `bad_request`.
            Message: `"Request body must be valid JSON."`
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                error:
                  code: bad_request
                  message: Request body must be valid JSON.
                  request_id: 550e8400-e29b-41d4-a716-446655440000
        '401':
          description: >-
            Email does not match the one registered with the app. Error code:
            `invalid_client`. Message: `"Invalid client credentials."`
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                error:
                  code: invalid_client
                  message: Invalid client credentials.
                  request_id: 550e8400-e29b-41d4-a716-446655440000
        '404':
          description: >-
            App not found or revoked. Error code: `not_found`. Message: `"App
            not found."`
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                error:
                  code: not_found
                  message: App not found.
                  request_id: 550e8400-e29b-41d4-a716-446655440000
        '422':
          $ref: '#/components/responses/ValidationError'
        '429':
          $ref: '#/components/responses/RateLimitExceeded'
        '500':
          description: >-
            Failed to rotate or persist the credentials. Error code:
            `internal_error`. Message: `"An unexpected error occurred."` Use the
            `request_id` to correlate with server-side logs.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                error:
                  code: internal_error
                  message: An unexpected error occurred.
                  request_id: 550e8400-e29b-41d4-a716-446655440000
      security: []
components:
  schemas:
    RotateAppRequest:
      type: object
      required:
        - client_id
        - email
      properties:
        client_id:
          type: string
          format: uuid
          example: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
          description: Current client_id of the app being rotated.
        email:
          type: string
          format: email
          example: dev@mysaas.com
          description: >-
            Email address registered with the app. Used to verify ownership. The
            API never reveals which email is on file.
        app_name:
          type: string
          maxLength: 100
          example: My SaaS v2
          description: >-
            New name shown to users on the consent screen. Max 100 chars. If
            omitted, the current name is kept.
        description:
          type: string
          maxLength: 500
          example: Updated integration with Vendaze.
          description: >-
            New description of what your app does. Max 500 chars. If omitted,
            the current description is kept.
        avatar_image:
          type: string
          example: data:image/png;base64,iVBORw0KGgo...
          description: >-
            Public HTTPS URL or full base64 data URI of your app logo (e.g.
            `data:image/png;base64,...`). Accepted formats: JPEG, PNG, WebP,
            GIF, BMP, TIFF. If omitted, the current avatar is kept.
        redirect_uris:
          type: array
          items:
            type: string
            format: uri
          example:
            - https://mysaas.com/callback/vendaze
          description: >-
            New list of HTTPS redirect URIs. Replaces the previous list
            entirely. If omitted, the current list is kept.
    RotateAppResponse:
      type: object
      properties:
        data:
          type: object
          properties:
            app_name:
              type: string
              example: My SaaS v2
            client_id:
              type: string
              format: uuid
              example: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
              description: The app's client_id. Does not change after rotation.
            avatar_url:
              type: string
              example: https://storage.vendaze.com/assets/integrations/mysaasv2.jpg
              description: >-
                Public URL of the stored avatar. Only present if avatar_image
                was provided in the request.
            message:
              type: string
              example: New credentials sent by email.
    ErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string
            request_id:
              type: string
              format: uuid
    ValidationErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: validation_error
            message:
              type: string
              example: Validation failed.
            fields:
              type: object
              additionalProperties:
                type: string
            request_id:
              type: string
              format: uuid
  responses:
    ValidationError:
      description: >-
        Input validation failed. Error code: `validation_error`. The `fields`
        object maps each invalid field to a description of the problem.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ValidationErrorResponse'
          example:
            error:
              code: validation_error
              message: Validation failed.
              fields:
                url: url must use HTTPS.
                events: At least one event is required.
              request_id: 550e8400-e29b-41d4-a716-446655440000
    RateLimitExceeded:
      description: 'Rate limit exceeded. Error code: `rate_limit_exceeded`.'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          example:
            error:
              code: rate_limit_exceeded
              message: Rate limit exceeded. Try again in 60 seconds.
              request_id: 550e8400-e29b-41d4-a716-446655440000
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: OAuth 2.1 access token.

````