Issue a fresh client secret for a service account. The public `client_id` is preserved so existing audit and log references remain valid; only the secret half of the credential pair changes.
POST /v1/oauth/clients/{id}
POST
/v1/oauth/clients/{id}
The new secret is returned in the response exactly once — store it
immediately. Existing access tokens stay valid until they expire, but
refresh-token grants under the old secret will fail. To stop all
bearer use immediately, revoke the service account
(PATCH /v1/oauth/clients/{id} with revoked: true) first.
Resetting a revoked service account returns 409 — un-revoke it first.
Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ” id
required
string format: uuid
OAuth client ID
Responses
Section titled “ Responses ”Credentials reset; new secret returned once
object
allowed_ips
array | null
client_id
required
string
client_name
required
string
client_secret
string | null
created_by
string | null format: uuid
created_date
required
string format: date-time
expires_at
string | null format: date-time
id
required
string format: uuid
last_used
string | null format: date-time
org_id
required
string format: uuid
revoked_at
string | null format: date-time
roles
required
Array<string>
user
required
The service-account user this key authenticates as. 1:1 with the key; used by the UI to render a user chip alongside each row.
object
email
required
string
first_name
required
string
icon
Relative path to the user’s avatar endpoint, e.g.
"users/{id}/avatar?v={hash}". None when the user has no avatar.
string | null
id
required
string format: uuid
last_name
required
string
user_id
required
string format: uuid
Unauthorized
Forbidden
Not found
Service account is revoked