> ## Documentation Index > Fetch the complete documentation index at: https://docs.hopae.com/llms.txt > Use this file to discover all available pages before exploring further. # Rotate Client Secret > Generate a new clientSecret for an existing App. Generates a new `clientSecret` for the App, immediately replacing the existing one. This is the **only time** the new secret is returned. Store it immediately in a secure location (e.g. HashiCorp Vault, AWS Secrets Manager, or an encrypted DB column) — it cannot be retrieved later. The **old** `clientSecret` is invalidated immediately. Any in-flight Basic Auth requests using the old secret will fail. Rotate only when you are ready to update your credential store atomically. ## Request `Bearer ` from Console > Developers > Workspace API Keys. Optional client-generated string (max 255 chars) to safely retry without issuing a second rotation. Scoped per workspace; valid for 24 hours. On replay with the same key, the original response (including the same rotated `clientSecret`) is returned with an `Idempotency-Replayed: true` header so the caller can persist the secret exactly once. ### Path parameters Client identifier of the app whose secret should be rotated. ### Request body None. Send an empty body or omit the body entirely. ## Response The newly generated client secret. Use this for Basic Auth (`clientId:clientSecret`) when calling the Connect API. ```bash theme={null} curl -X POST \ -H "Authorization: Bearer sk_workspace_test_..." \ "https://sandbox.api.hopae.com/connect/v1/apps/HqTRDIYH/rotate-client-secret" ``` ```json theme={null} { "clientSecret": "a3f2c1e4b8d7f6a9c2e5b1d4f7a0c3e6b9d2f5a8c1e4b7d0f3a6c9e2b5d8f1a4" } ```