--- title: request-secrets-rotation product: vercel url: /docs/integrations/create-integration/marketplace-api/reference/partner/request-secrets-rotation type: conceptual prerequisites: [] related: - /docs/integrations/create-integration/marketplace-flows - /docs/integrations/create-integration/marketplace-api/reference - /docs/integrations/create-integration/native-integration summary: Learn about request-secrets-rotation on Vercel. install_vercel_plugin: npx plugins add vercel/vercel-plugin --- # Request Secrets Rotation **Status**: Optional **When to implement**: Expected for any integration that provisions resources with secrets. Vercel calls this endpoint when a user requests [credential rotation](/docs/integrations/create-integration/marketplace-flows#rotate-credentials-in-provider-flow) through the dashboard, for example after a security incident. Return new credentials that Vercel stores as updated environment variables. ```http POST /v1/installations/{installationId}/resources/{resourceId}/secrets/rotate ``` Request rotation of secrets for a specific resource ## Authentication **User Authentication**: This authentication uses the [OpenID Connect Protocol (OIDC)](https://auth0.com/docs/authenticate/protocols/openid-connect-protocol). Vercel sends a JSON web token (JWT) signed with Vercel’s private key and verifiable using Vercel’s public [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) (JWKS) available [here](https://marketplace.vercel.com/.well-known/jwks). User Auth OIDC token claims schema: ```json type=jsonschema { "type": "object", "properties": { "iss": { "type": "string", "enum": [ "https://marketplace.vercel.com" ] }, "aud": { "type": "string", "description": "The integration ID. Example: \"oac_9f4YG9JFjgKkRlxoaaGG0y05\"" }, "type": { "type": "string", "enum": [ "access_token", "id_token" ], "description": "The type of the token: id_token or access_token." }, "account_id": { "type": "string" }, "sub": { "type": "string", "description": "Denotes the User who is making the change (matches `/^account:[0-9a-fA-F]+:user:[0-9a-fA-F]+$/`)" }, "installation_id": { "type": "string", "description": "The ID of the installation. Example: \"icfg_9bceb8ccT32d3U417ezb5c8p\"" }, "user_id": { "type": "string" }, "user_role": { "type": "string", "enum": [ "ADMIN", "USER" ], "description": "The `ADMIN` role, by default, is provided to users capable of installing integrations, while the `USER` role can be granted to Vercel users with the Vercel `Billing` or Vercel `Viewer` role, which are considered to be Read-Only roles." }, "user_email": { "type": "string", "description": "The user's verified email address. For this property to have a value, your Marketplace integration must be opted in. Please reach out to Vercel Support to request access. Without access, this property will be undefined." }, "user_name": { "type": "string", "description": "The user's real name" }, "user_avatar_url": { "type": "string", "description": "The user's public avatar URL" } }, "required": [ "iss", "aud", "account_id", "sub", "installation_id", "user_id", "user_role" ], "additionalProperties": false } ``` **System Authentication**: This authentication uses the [OpenID Connect Protocol (OIDC)](https://auth0.com/docs/authenticate/protocols/openid-connect-protocol). Vercel sends a JSON web token (JWT) signed with Vercel’s private key and verifiable using Vercel’s public [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) (JWKS) available [here](https://marketplace.vercel.com/.well-known/jwks). System Auth OIDC token claims schema: ```json type=jsonschema { "type": "object", "properties": { "iss": { "type": "string", "enum": [ "https://marketplace.vercel.com" ] }, "sub": { "type": "string", "description": "Denotes the Account (or Team) who is making the change (matches `/^account:[0-9a-fA-F]+$/`), possibly null" }, "aud": { "type": "string", "description": "The integration ID. Example: \"oac_9f4YG9JFjgKkRlxoaaGG0y05\"" }, "type": { "type": "string", "enum": [ "access_token", "id_token" ], "description": "The type of the token: id_token or access_token." }, "installation_id": { "type": "string", "nullable": true, "description": "The ID of the installation. Example: \"icfg_9bceb8ccT32d3U417ezb5c8p\"" }, "account_id": { "type": "string" } }, "required": [ "iss", "sub", "aud", "installation_id", "account_id" ], "additionalProperties": false } ``` ## Path Parameters | Name | Type | Required | Description | |------|------|----------|-------------| | `installationId` | string | ✓ | | | `resourceId` | string | ✓ | | ## Header Parameters | Name | Type | Required | Description | |------|------|----------|-------------| | `X-Vercel-Auth` | string | | The auth style used in the request (system, user, etc) | | `Idempotency-Key` | string | | A unique key to identify a request across multiple retries | ## Request Body **Content-Type**: `application/json` ```json { "reason": "string" // Optional reason for the secrets rotation request., "delayOldSecretsExpirationHours": "number" // Delay in hours before old secrets expire after rotation. The value can be fractional. } ``` ## Responses ### 200 Return the secrets rotation result **Content-Type**: `application/json` "value" ### 400 Input has failed validation **Content-Type**: `application/json` ```json { "error": { // required "code": "string" // required, "message": "string" // required // System error message, "user": { "message": "string" // User-facing error message, if applicable, "url": "string" // URL to a user-facing help article, or a dashboard page for resolution, if applicable }, "fields": [ "key": "string" // required, "message": "string" ] } } ``` ### 403 Operation failed because the authentication is not allowed to perform this operation **Content-Type**: `application/json` ```json { "error": { // required "code": "string" // required, "message": "string" // required // System error message, "user": { "message": "string" // User-facing error message, if applicable, "url": "string" // URL to a user-facing help article, or a dashboard page for resolution, if applicable } } } ``` ### 409 Operation failed because of a conflict with the current state of the resource **Content-Type**: `application/json` ```json { "error": { // required "code": "string" // required, "message": "string" // required // System error message, "user": { "message": "string" // User-facing error message, if applicable, "url": "string" // URL to a user-facing help article, or a dashboard page for resolution, if applicable } } } ``` --- ## Related - [Marketplace API Reference](/docs/integrations/create-integration/marketplace-api/reference) - [Native Integration Concepts](/docs/integrations/create-integration/native-integration) --- [View full sitemap](/docs/sitemap)