> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Rotate > Rotate re-mints the paired credential's secret material, preserves the decoy_id binding, and returns the new one-time vending material. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/decoys/{id}/rotate openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/decoys/{id}/rotate: post: tags: - Decoy summary: Rotate description: |- Rotate re-mints the paired credential's secret material, preserves the decoy_id binding, and returns the new one-time vending material. operationId: c1.api.decoy.v1.DecoyService.Rotate parameters: - in: path name: id required: true schema: description: The id field. type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyServiceRotateRequestInput responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyServiceRotateResponse description: Successful response x-codeSamples: - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.decoy.rotate({ id: "", }); console.log(result); } run(); components: schemas: c1.api.decoy.v1.DecoyServiceRotateRequestInput: description: The DecoyServiceRotateRequest message. title: Decoy Service Rotate Request type: object x-speakeasy-name-override: DecoyServiceRotateRequest c1.api.decoy.v1.DecoyServiceRotateResponse: description: The DecoyServiceRotateResponse message. properties: decoy: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.Decoy' - type: 'null' material: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyVendingMaterial' - type: 'null' title: Decoy Service Rotate Response type: object x-speakeasy-name-override: DecoyServiceRotateResponse c1.api.decoy.v1.Decoy: description: |- Decoy is the read projection of a planted honey-credential. All fields except annotations are server-managed. properties: annotations: additionalProperties: type: string description: |- Customer-defined grouping/filtering bag. PATCH semantics on Update: keys in the request overwrite, keys missing stay, keys set to empty string delete. Copied onto the Finding produced when a decoy fires, so routing rules can condition on the same keys. type: object x-speakeasy-terraform-plan-modifier: imports: - >- github.com/conductorone/terraform-provider-conductorone/internal/annotations schemaDefinition: annotations.PlanModifier() createdAt: format: date-time readOnly: true type: - string - 'null' description: description: The description field. type: - string - 'null' disabled: description: Admin-disabled. type: - boolean - 'null' displayName: description: The displayName field. type: - string - 'null' id: description: The id field. readOnly: true type: - string - 'null' kind: description: The kind field. enum: - DECOY_KIND_UNSPECIFIED - DECOY_KIND_USER_CLIENT_CREDENTIAL - DECOY_KIND_CONNECTOR_CLIENT - DECOY_KIND_WORKLOAD_FEDERATION - DECOY_KIND_ACCESS_TOKEN readOnly: true type: - string - 'null' x-speakeasy-unknown-values: allow lastUsedAt: format: date-time readOnly: true type: - string - 'null' materialFingerprintSha256: description: |- Hex-encoded SHA256 of the secret string vended at Create / Rotate. Stable for the decoy's current material; changes only on Rotate. Empty for WorkloadFederation decoys (no server-vended secret). readOnly: true type: - string - 'null' updatedAt: format: date-time readOnly: true type: - string - 'null' title: Decoy type: object x-speakeasy-name-override: Decoy c1.api.decoy.v1.DecoyVendingMaterial: description: > DecoyVendingMaterial carries the freshly-vended secret material returned exactly once at Create or Rotate. This message contains a oneof named material. Only a single field of the following list may be set at a time: - clientCredential - accessToken - workloadFederation properties: accessToken: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyAccessTokenMaterial' - type: 'null' clientCredential: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyClientCredentialMaterial - type: 'null' workloadFederation: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyWorkloadFederationMaterial - type: 'null' title: Decoy Vending Material type: object x-speakeasy-name-override: DecoyVendingMaterial c1.api.decoy.v1.DecoyAccessTokenMaterial: description: DecoyAccessTokenMaterial is returned for AccessToken decoys. properties: accessToken: description: The accessToken field. type: - string - 'null' title: Decoy Access Token Material type: object x-speakeasy-name-override: DecoyAccessTokenMaterial c1.api.decoy.v1.DecoyClientCredentialMaterial: description: |- DecoyClientCredentialMaterial is returned for UserClientCredential and ConnectorClient decoys. properties: clientId: description: The clientId field. type: - string - 'null' clientSecret: description: The clientSecret field. type: - string - 'null' title: Decoy Client Credential Material type: object x-speakeasy-name-override: DecoyClientCredentialMaterial c1.api.decoy.v1.DecoyWorkloadFederationMaterial: description: |- DecoyWorkloadFederationMaterial is returned for WorkloadFederation decoys. No vended secret; the operator binds the trust on the IdP side. properties: workloadFederationTrustId: description: The workloadFederationTrustId field. type: - string - 'null' title: Decoy Workload Federation Material type: object x-speakeasy-name-override: DecoyWorkloadFederationMaterial securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````