> ## Documentation Index > Fetch the complete documentation index at: https://stytch.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Start Secret Rotation > Initiate the rotation of a Connected App client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the Rotate Secret Endpoint to complete the flow. Secret rotation can be cancelled using the Cancel Secret Rotation endpoint. This is the only time you will be able to view the generated `next_client_secret` in the API response. Stytch stores a hash of the `next_client_secret` and cannot recover the value if lost. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to restart the secret rotation flow to receive another one. ## OpenAPI ````yaml POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start openapi: 3.0.3 info: title: Stytch API description: The Stytch API provides endpoints for authentication and user management. version: 2.0.0 contact: name: Stytch Support url: https://stytch.com/docs email: support@stytch.com servers: - url: https://api.stytch.com description: Production server - url: https://test.stytch.com description: Test server security: - basicAuth: [] paths: /v1/connected_apps/clients/{client_id}/secrets/rotate/start: post: tags: - Clients summary: Rotatestart description: >- Initiate the rotation of a Connected App client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the Rotate Secret Endpoint to complete the flow. Secret rotation can be cancelled using the Cancel Secret Rotation endpoint. **Important:** This is the only time you will be able to view the generated `next_client_secret` in the API response. Stytch stores a hash of the `next_client_secret` and cannot recover the value if lost. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to trigger a secret rotation flow to receive another one. operationId: api_connectedapps_v1_connected_apps_clients_secrets_RotateStart parameters: - name: client_id in: path required: true schema: type: string description: The ID of the client. description: The ID of the client. requestBody: required: true content: application/json: schema: $ref: >- #/components/schemas/api_connectedapps_v1_connected_apps_clients_secrets_RotateStartRequest responses: '200': description: Successful response content: application/json: schema: $ref: >- #/components/schemas/api_connectedapps_v1_connected_apps_clients_secrets_RotateStartResponse '400': description: Bad request '401': description: Unauthorized content: application/json: example: status_code: 401 request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141 error_type: unauthorized_credentials error_message: Unauthorized credentials. error_url: https://stytch.com/docs/api/errors/401 '429': description: Too Many Requests content: application/json: example: status_code: 429 request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141 error_type: too_many_requests error_message: Too many requests have been made. error_url: https://stytch.com/docs/api/errors/429 '500': description: Internal server error content: application/json: example: status_code: 500 request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141 error_type: internal_server_error error_message: >- Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong. error_url: https://stytch.com/docs/api/errors/500 x-code-samples: - lang: csharp label: C# source: |- // POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start const stytch = require('stytch'); const client = new stytch.B2BClient({ project_id: '${projectId}', secret: '${secret}', }); const params = { client_id: "${exampleM2MClientID}", }; client.ConnectedApp.Clients.Secrets.RotateStart(params) .then(resp => { console.log(resp) }) .catch(err => { console.log(err) }); - lang: go label: Go source: "// POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v17/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v17/stytch/consumer/connectedapps/clients/secrets\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &secrets.RotateStartParams{\n\t\tClientID: \"${exampleM2MClientID}\",\n\t}\n\n\tresp, err := client.ConnectedApp.Clients.Secrets.RotateStart(context.Background(), params)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n" - lang: java label: Java source: >- // POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start package com.example; import com.stytch.java.b2b.StytchB2BClient; import com.stytch.java.common.StytchResult; import com.stytch.java.consumer.models.connectedappsclientssecrets.RotateStartRequest; public class Main { public static void main(String[] args) { StytchB2BClient.configure("${projectId}", "${secret}"); RotateStartRequest params = new RotateStartRequest(); params.setClientId("${exampleM2MClientID}"); Object result = StytchB2BClient.getConnectedApp().getClients().getSecrets().rotateStart(params); if (result instanceof StytchResult.Success) { System.out.println(((StytchResult.Success) result).getValue()); } else { System.out.println(((StytchResult.Error) result).getException()); } } } - lang: kotlin label: Kotlin source: > // POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start package com.example import com.stytch.java.b2b.StytchB2BClient import com.stytch.java.consumer.models.connectedappsclientssecrets.RotateStartRequest fun main() { StytchB2BClient.configure( projectId = "${projectId}", secret = "${secret}", ) when ( val result = StytchB2BClient.connectedApp.clients.secrets.rotateStart( RotateStartRequest( clientId = "${exampleM2MClientID}", ), ) ) { is StytchResult.Success -> println(result.value) is StytchResult.Error -> println(result.exception) } } - lang: javascript label: Node.js source: |- // POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start const stytch = require('stytch'); const client = new stytch.B2BClient({ project_id: '${projectId}', secret: '${secret}', }); const params = { client_id: "${exampleM2MClientID}", }; client.connectedApp.clients.secrets.rotateStart(params) .then(resp => { console.log(resp) }) .catch(err => { console.log(err) }); - lang: php label: PHP source: |- $response = $client->connected_app->clients->secrets->rotate_start([ 'client_id' => '${exampleM2MClientID}', ]); - lang: python label: Python source: | # POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start from stytch import B2BClient client = B2BClient( project_id="${projectId}", secret="${secret}", ) resp = client.connected_app.clients.secrets.rotate_start( client_id="${exampleM2MClientID}", ) print(resp) - lang: ruby label: Ruby source: |- # POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start require 'stytch' client = StytchB2B::Client.new( project_id: "${projectId}", secret: "${secret}" ) resp = client.connected_app.clients.secrets.rotate_start( client_id: "${exampleM2MClientID}" ) puts resp - lang: rust label: Rust source: >- // POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start use stytch::b2b::client::Client; use stytch::consumer::connected_apps_clients_secrets::RotateStartRequest; fn main() { let client = Client::new("${projectId}", "${secret}").unwrap(); let resp = client.connected_app.clients.secrets.rotate_start( RotateStartRequest{ client_id: "${exampleM2MClientID}", ..Default::default() } ).await; println!("The response is {:?}", resp); } - lang: bash label: cURL source: |- # POST /v1/connected_apps/clients/{client_id}/secrets/rotate/start curl --request POST \ --url https://test.stytch.com/v1/connected_apps/clients/${exampleM2MClientID}/secrets/rotate/start \ -u '${projectId}:${secret}' \ -H 'Content-Type: application/json' components: schemas: api_connectedapps_v1_connected_apps_clients_secrets_RotateStartRequest: type: object properties: {} description: Request type api_connectedapps_v1_connected_apps_clients_secrets_RotateStartResponse: type: object properties: request_id: type: string description: >- Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. connected_app: $ref: >- #/components/schemas/api_connectedapps_v1_ConnectedAppWithNextClientSecret description: The Connected App affected by this operation. status_code: type: integer format: int32 description: >- The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. required: - request_id - connected_app - status_code api_connectedapps_v1_ConnectedAppWithNextClientSecret: type: object properties: client_id: type: string description: The ID of the Connected App client. client_name: type: string description: A human-readable name for the client. client_description: type: string description: A human-readable description for the client. status: type: string client_secret_last_four: type: string description: The last four characters of the client secret. full_access_allowed: type: boolean description: >- Valid for first party clients only. If `true`, an authorization token granted to this Client can be exchanged for a full Stytch session. client_type: type: string description: >- The type of Connected App. Supported values are `first_party`, `first_party_public`, `third_party`, and `third_party_public`. redirect_urls: type: array items: type: string description: Array of redirect URI values for use in OAuth Authorization flows. next_client_secret: type: string access_token_expiry_minutes: type: integer format: int32 access_token_template_content: type: string post_logout_redirect_urls: type: array items: type: string description: Array of redirect URI values for use in OIDC Logout flows. bypass_consent_for_offline_access: type: boolean description: >- Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope. next_client_secret_last_four: type: string description: >- The last four characters of the `next_client_secret`. Null if no `next_client_secret` exists. access_token_custom_audience: type: string logo_url: type: string description: The logo URL of the Connected App, if any. client_id_metadata_url: type: string required: - client_id - client_name - client_description - status - client_secret_last_four - full_access_allowed - client_type - redirect_urls - next_client_secret - access_token_expiry_minutes - access_token_template_content - post_logout_redirect_urls - bypass_consent_for_offline_access securitySchemes: basicAuth: type: http scheme: basic ````