# Rotate credentials

Canonical: https://docs.flowrelay.app/setup/rotate-credentials/
Markdown: https://docs.flowrelay.app/setup/rotate-credentials.md

Rotate an endpoint secret deliberately. FlowRelay shows the new full secret once and never reveals the previous full secret.

## Steps
Complete these in order.
1. Open the endpoint detail page for the sender that needs a new secret.
2. Confirm the sender owner is ready to update their private configuration immediately after rotation.
3. Rotate the endpoint secret in FlowRelay and copy the new value only into the sender's private secret manager.
4. Confirm the sender no longer uses the previous secret because the old value stops working after rotation.
5. Send one synthetic test event and open the receipt to confirm authentication succeeds.
6. Share only the receipt outcome or diagnostics share if troubleshooting is needed. Do not paste the new secret, old secret, full authentication header, or signature into support.

## When to rotate
Rotate when a secret may have been exposed, a partner no longer needs access, a sender changes ownership, or an operator wants a clean credential handoff.


## What changes
The endpoint URL stays the same. The endpoint secret changes, the new value is shown once, and later screens show only safe secret metadata such as the last four characters.


## Agent boundary
An authorized agent may prepare or execute a rotation only when the grant includes the required scope. It still cannot retrieve old secrets, Shopify tokens, session data, raw event bodies, or database credentials.


## Related
- [Authenticate requests](https://docs.flowrelay.app/setup/authentication.md)
- [Read receipts](https://docs.flowrelay.app/operate/receipts.md)
- [Share diagnostics](https://docs.flowrelay.app/recover/diagnostics.md)

## Safety Boundary
Do not include raw event bodies, endpoint secrets, authentication headers, HMAC values, Shopify tokens, Shopify sessions, database URLs, customer data, merchant incidents, or copied private logs in public examples.