> ## Documentation Index
> Fetch the complete documentation index at: https://developers.vendaze.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate app credentials

> Replace your app credentials and optionally update its name, description, redirect URIs, or avatar.

Rotating your app issues a new `client_secret` and immediately invalidates the previous one. You only need to send `client_id` and `email` to rotate. Any other fields you include will update the app. Fields you omit stay unchanged.

<Warning>
  The old `client_secret` is invalidated immediately after rotation. Update your app as soon as you
  receive the new credentials by email.
</Warning>

## When to rotate

* Your `client_secret` was compromised or lost
* You need to change the app name, description, or avatar
* You need to add or remove redirect URIs

## How it works

Rotation is not a full update. It uses your `client_id` and `email` as proof of ownership. The new credentials are always sent to the email address registered with the app. That email cannot be changed and is never returned by the API.

<Steps>
  <Step title="Submit the rotation request">
    Call `POST /v1/auth/rotate-app` with your `client_id`, `email`, and any fields you want to
    update.
  </Step>

  <Step title="Receive new credentials by email">
    A new `client_secret` is generated and sent to the email address registered with the app. The
    old secret is invalidated immediately.
  </Step>

  <Step title="Update your app">
    Replace the stored `client_secret` in your app with the new value.
  </Step>
</Steps>

## Rotate via API

Minimal request: only rotates the credentials, keeps all existing app data:

```bash theme={null}
curl -X POST https://api.vendaze.com/v1/auth/rotate-app \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "email": "you@yourcompany.com"
  }'
```

With optional updates: rotates credentials and updates the app at the same time:

```bash theme={null}
curl -X POST https://api.vendaze.com/v1/auth/rotate-app \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "email": "you@yourcompany.com",
    "app_name": "My Integration v2",
    "description": "Updated description for My Integration",
    "avatar_url": "https://yourapp.com/assets/logo-v2.png",
    "redirect_uris": ["https://yourapp.com/oauth/callback"]
  }'
```

**Resposta (200):**

```json theme={null}
{
  "data": {
    "app_name": "My Integration v2",
    "client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
    "avatar_url": "https://storage.vendaze.com/assets/integrations/myintegrationv2.jpg",
    "message": "New credentials sent by email."
  }
}
```

The new `client_secret` is sent **only by email** and never returned in the API response. Store it securely as soon as you receive it.

## Request parameters

| Parameter       | Type      | Required | Description                                                                                                                                                     |
| --------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `client_id`     | string    | Yes      | Current `client_id` of the app being rotated.                                                                                                                   |
| `email`         | string    | Yes      | Email address registered with the app. Used to verify ownership. The API never reveals which email is on file. It returns an error if the value does not match. |
| `app_name`      | string    | No       | New name shown to users on the consent screen. Max 100 chars. If omitted, the current name is kept.                                                             |
| `description`   | string    | No       | New description of what your app does. Max 500 chars. If omitted, the current description is kept.                                                              |
| `avatar_url`    | string    | No       | HTTPS URL of your app logo. Accepted formats: JPEG, PNG, WebP, GIF, BMP, TIFF. If omitted, the current avatar is kept.                                          |
| `redirect_uris` | string\[] | No       | New list of HTTPS redirect URIs. Replaces the previous list entirely. If omitted, the current list is kept.                                                     |

<Note>
  Scopes cannot be changed via rotation. Scopes are fixed at registration and are permanent for the
  lifetime of the app. If you need different scopes, you must register a new app with a different
  email address. Each email can only be associated with one registered app. Registering a new app
  generates a new `client_id`, which means all existing user authorizations are invalidated and
  users must go through the consent flow again.
</Note>

## What changes after rotation

| Field           | After rotation                             |
| --------------- | ------------------------------------------ |
| `client_secret` | New value. Sent by email. Update your app. |
| `client_id`     | Does not change. Stays the same.           |
| `app_name`      | Updated if sent in the request.            |
| `description`   | Updated if sent in the request.            |
| `avatar`        | Updated if `avatar_url` sent in request.   |
| `redirect_uris` | Updated if sent in the request.            |
| Active tokens   | Not affected. Existing sessions continue.  |

## Related

* [Register your app](/en/guides/register-app): first-time registration to get your initial credentials
* [Authentication](/en/guides/authentication): implement the OAuth 2.1 flow after updating your credentials
