Rotate Access Key | API Reference | Descope Documentation

POST

/v1/mgmt/accesskey/rotate

Authorization

Descope Project ID and Management Key

AuthorizationBearer <token>

Project ID:Management Key as bearer token.

In: header

Rotate an access key — regenerates the secret for an existing access key while preserving the same key ID, name, roles, tenants, expiry and metadata. The new cleartext is returned exactly once and the previous secret stops working immediately.

curl -X POST "https://api.descope.com/v1/mgmt/accesskey/rotate" \
  -H "Content-Type: application/json" \
  -d '{}'

curl -X POST "https://api.descope.com/v1/mgmt/accesskey/rotate" \  -H "Content-Type: application/json" \  -d '{}'

ResponseOK

{
  "key": {
    "id": "string",
    "name": "string",
    "roleNames": [
      "string"
    ],
    "keyTenants": [
      {
        "tenantId": "string",
        "roleNames": [
          "string"
        ],
        "tenantName": "string"
      }
    ],
    "status": "string",
    "createdTime": 0,
    "expireTime": 0,
    "createdBy": "string",
    "clientId": "string",
    "boundUserId": "string",
    "customClaims": {
      "claim-name": "claim-value"
    },
    "editable": true,
    "description": "string",
    "permittedIps": [
      "string"
    ],
    "customAttributes": {
      "attribute-key": "attribute-value"
    }
  },
  "cleartext": "string"
}

{  "key": {    "id": "string",    "name": "string",    "roleNames": [      "string"    ],    "keyTenants": [      {        "tenantId": "string",        "roleNames": [          "string"        ],        "tenantName": "string"      }    ],    "status": "string",    "createdTime": 0,    "expireTime": 0,    "createdBy": "string",    "clientId": "string",    "boundUserId": "string",    "customClaims": {      "claim-name": "claim-value"    },    "editable": true,    "description": "string",    "permittedIps": [      "string"    ],    "customAttributes": {      "attribute-key": "attribute-value"    }  },  "cleartext": "string"}

TypeScript

export interface Response {
key?: AccessKey
cleartext?: string
}
export interface AccessKey {
id?: string
name?: string
roleNames?: string[]
keyTenants?: AssociatedTenantAK[]
status?: string
createdTime?: number
expireTime?: number
createdBy?: string
clientId?: string
boundUserId?: string
/**
 * Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans.
 */
customClaims?: {
[k: string]: string
}
editable?: boolean
description?: string
permittedIps?: string[]
/**
 * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays.
 */
customAttributes?: {
[k: string]: string
}
}
export interface AssociatedTenantAK {
tenantId?: string
roleNames?: string[]
tenantName?: string
}

export interface Response {key?: AccessKeycleartext?: string}export interface AccessKey {id?: stringname?: stringroleNames?: string[]keyTenants?: AssociatedTenantAK[]status?: stringcreatedTime?: numberexpireTime?: numbercreatedBy?: stringclientId?: stringboundUserId?: string/** * Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. */customClaims?: {[k: string]: string}editable?: booleandescription?: stringpermittedIps?: string[]/** * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. */customAttributes?: {[k: string]: string}}export interface AssociatedTenantAK {tenantId?: stringroleNames?: string[]tenantName?: string}

Was this helpful?

Authorization

Request Body