client_secret and immediately invalidates the previous one. You only need to send client_id and email to rotate. Any other fields you include will update the app. Fields you omit stay unchanged.
When to rotate
- Your
client_secretwas compromised or lost - You need to change the app name, description, or avatar
- You need to add or remove redirect URIs
How it works
Rotation is not a full update. It uses yourclient_id and email as proof of ownership. The new credentials are always sent to the email address registered with the app. That email cannot be changed and is never returned by the API.
Submit the rotation request
Call
POST /v1/auth/rotate-app with your client_id, email, and any fields you want to
update.Receive new credentials by email
A new
client_secret is generated and sent to the email address registered with the app. The
old secret is invalidated immediately.Rotate via API
Minimal request: only rotates the credentials, keeps all existing app data:client_secret is sent only by email and never returned in the API response. Store it securely as soon as you receive it.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Current client_id of the app being rotated. |
email | string | Yes | Email address registered with the app. Used to verify ownership. The API never reveals which email is on file. It returns an error if the value does not match. |
app_name | string | No | New name shown to users on the consent screen. Max 100 chars. If omitted, the current name is kept. |
description | string | No | New description of what your app does. Max 500 chars. If omitted, the current description is kept. |
avatar_url | string | No | HTTPS URL of your app logo. Accepted formats: JPEG, PNG, WebP, GIF, BMP, TIFF. If omitted, the current avatar is kept. |
redirect_uris | string[] | No | New list of HTTPS redirect URIs. Replaces the previous list entirely. If omitted, the current list is kept. |
Scopes cannot be changed via rotation. Scopes are fixed at registration and are permanent for the
lifetime of the app. If you need different scopes, you must register a new app with a different
email address. Each email can only be associated with one registered app. Registering a new app
generates a new
client_id, which means all existing user authorizations are invalidated and
users must go through the consent flow again.What changes after rotation
| Field | After rotation |
|---|---|
client_secret | New value. Sent by email. Update your app. |
client_id | Does not change. Stays the same. |
app_name | Updated if sent in the request. |
description | Updated if sent in the request. |
avatar | Updated if avatar_url sent in request. |
redirect_uris | Updated if sent in the request. |
| Active tokens | Not affected. Existing sessions continue. |
Related
- Register your app: first-time registration to get your initial credentials
- Authentication: implement the OAuth 2.1 flow after updating your credentials