Skip to main content

Rotate tokens


Generates new token IDs for a list of tokens.

The role performing this operation must have both of these:

  • The CapTokensWriter capability.
  • At least one allowing policy and no denying policies for the write operation for the tokens resource of the specified collection.

See identity and access management for more information about how capabilities are used to control access to operations and policies are used to control access to data.


Header parameters

  • X-Tenant-Id - array of strings

    List of tenant IDs to enforce on the request.

Path parameters

  • collection - string required*

    The name of a collection.

Query parameters

  • token_ids - array of strings required*

    Comma-separated list of token IDs.

  • adhoc_reason - string

    An ad-hoc reason for accessing the Vault data. Required when reason is set to Other.

  • reason - string required*

    Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.

  • reload_cache - boolean

    Reloads the cache before the action.

Possible responses

The request is successful.

object required*

Mapping between old token IDs and new token IDs.

Values of additional properties are strings
"49303e72-35e3-11ed-a261-0242ac120002": "463a83d0-a816-4902-abba-2486e0c0a0bb"
"49303e72-35e3-11ed-a261-0242ac120002": "463a83d0-a816-4902-abba-2486e0c0a0bb"

Try the API


Path parameters

Query parameters


Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples