postRotate service account secret

Required capabilityservice_accounts.rotate_secret

Issues a new client_secret. The plaintext secret is returned exactly once in this response and is never re-fetchable afterwards. By default the previous secret is invalidated immediately; pass invalidate_previous_secret: false to keep it valid for a grace period so callers can hot-swap. The service account itself never expires on a timer; lifecycle is status-only (active or revoked). client_secret_expires_at is the new client-secret TTL, while JWT access-token TTL is separate.

Request

POST /service-accounts/{service_account_id}/rotate-secret

{
  "invalidate_previous_secret": true,
  "reason": "Routine rotation"
}

Responses

{
  "client_id": "b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
  "client_secret": "cs_live_abc123placeholder",
  "client_secret_expires_at": "2026-05-01T10:00:00Z",
  "principal_ref": "service-accounts/b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
  "service_account": {
    "description": "Withdrawal automation account",
    "created_at": "2026-05-01T10:00:00Z",
    "current_secret_expires_at": "2026-05-01T10:00:00Z",
    "etag": "W/\"sa-etag-0001\"",
    "external_id": "sa-ext-001",
    "id": "b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
    "parent_ref": "enterprises/b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
    "previous_secret_expires_at": null,
    "principal_ref": "service-accounts/b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
    "resource": "service_account",
    "status": "active",
    "updated_at": "2026-05-01T10:00:00Z"
  }
}

Resource created successfully.

postRotate service account secret

Request

Request URL

Request Body

Responses

Response

postRotate service account secret#

Request#

Request URL

Request Body

Responses#

Response

Related endpoints

postRotate service account secret

Request

Responses