Skip to main content
Rotating your app issues a new client_secret and immediately invalidates the previous one. You only need to send client_id and email to rotate. Any other fields you include will update the app. Fields you omit stay unchanged.
The old client_secret is invalidated immediately after rotation. Update your app as soon as you receive the new credentials by email.

When to rotate

  • Your client_secret was compromised or lost
  • You need to change the app name, description, or avatar
  • You need to add or remove redirect URIs

How it works

Rotation is not a full update. It uses your client_id and email as proof of ownership. The new credentials are always sent to the email address registered with the app. That email cannot be changed and is never returned by the API.
1

Submit the rotation request

Call POST /v1/auth/rotate-app with your client_id, email, and any fields you want to update.
2

Receive new credentials by email

A new client_secret is generated and sent to the email address registered with the app. The old secret is invalidated immediately.
3

Update your app

Replace the stored client_secret in your app with the new value.

Rotate via API

Minimal request: only rotates the credentials, keeps all existing app data:
curl -X POST https://api.vendaze.com/v1/auth/rotate-app \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "email": "you@yourcompany.com"
  }'
With optional updates: rotates credentials and updates the app at the same time:
curl -X POST https://api.vendaze.com/v1/auth/rotate-app \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "email": "you@yourcompany.com",
    "app_name": "My Integration v2",
    "description": "Updated description for My Integration",
    "avatar_url": "https://yourapp.com/assets/logo-v2.png",
    "redirect_uris": ["https://yourapp.com/oauth/callback"]
  }'
Resposta (200):
{
  "data": {
    "app_name": "My Integration v2",
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "avatar_url": "https://storage.vendaze.com/assets/integrations/myintegrationv2.jpg",
    "message": "New credentials sent by email."
  }
}
The new client_secret is sent only by email and never returned in the API response. Store it securely as soon as you receive it.

Request parameters

ParameterTypeRequiredDescription
client_idstringYesCurrent client_id of the app being rotated.
emailstringYesEmail address registered with the app. Used to verify ownership. The API never reveals which email is on file. It returns an error if the value does not match.
app_namestringNoNew name shown to users on the consent screen. Max 100 chars. If omitted, the current name is kept.
descriptionstringNoNew description of what your app does. Max 500 chars. If omitted, the current description is kept.
avatar_urlstringNoHTTPS URL of your app logo. Accepted formats: JPEG, PNG, WebP, GIF, BMP, TIFF. If omitted, the current avatar is kept.
redirect_urisstring[]NoNew list of HTTPS redirect URIs. Replaces the previous list entirely. If omitted, the current list is kept.
Scopes cannot be changed via rotation. Scopes are fixed at registration and are permanent for the lifetime of the app. If you need different scopes, you must register a new app with a different email address. Each email can only be associated with one registered app. Registering a new app generates a new client_id, which means all existing user authorizations are invalidated and users must go through the consent flow again.

What changes after rotation

FieldAfter rotation
client_secretNew value. Sent by email. Update your app.
client_idDoes not change. Stays the same.
app_nameUpdated if sent in the request.
descriptionUpdated if sent in the request.
avatarUpdated if avatar_url sent in request.
redirect_urisUpdated if sent in the request.
Active tokensNot affected. Existing sessions continue.