Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Access
Service Tokens

Rotate a service token

client.zeroTrust.access.serviceTokens.rotate(stringserviceTokenId, ServiceTokenRotateParams { account_id, previous_client_secret_expires_at } params, RequestOptionsoptions?): ServiceTokenRotateResponse { id, client_id, client_secret, 2 more }
POST/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate

Generates a new Client Secret for a service token and revokes the old one.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
ParametersExpand Collapse
serviceTokenId: string

UUID.

maxLength36
params: ServiceTokenRotateParams { account_id, previous_client_secret_expires_at }
account_id: string

Path param: Identifier.

maxLength32
previous_client_secret_expires_at?: string

Body param: The expiration of the previous client_secret. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret.

formatdate-time
ReturnsExpand Collapse
ServiceTokenRotateResponse { id, client_id, client_secret, 2 more }
id?: string

The ID of the service token.

client_id?: string

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

client_secret?: string

The Client Secret for the service token. Access will check for this value in the CF-Access-Client-Secret request header.

duration?: string

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

name?: string

The name of the service token.

Rotate a service token

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const response = await client.zeroTrust.access.serviceTokens.rotate(
  'f174e90a-fafe-4643-bbbc-4a0ed4fc8415',
  { account_id: '023e105f4ecef8ad9ca31a8372d0c353' },
);

console.log(response.id);
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "id",
    "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
    "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "duration": "60m",
    "name": "CI/CD token",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "id",
    "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
    "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "duration": "60m",
    "name": "CI/CD token",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}