Trigger credential rotation fan-out
Called by the operator (CLI or admin UI) after rotating an upstream credential (Vault, 1Password, encrypted DB row, …). Re-resolves the `(orgId, kind)` tuple via the credential provider registry and fans the fresh value out to every live `rotate-stream` SSE subscriber for that org. Zero live subscribers is not an error. Auth: `Bearer rsk_*` via `getCliOrSessionAuth`. The `orgId` in the body must match the authenticated org. For `session` / `user_token` auth the caller must have `admin` or `owner` role; for `api_key` auth the cross-tenant guard is sufficient. The audit write is deferred (`after()`) and failures are non-fatal - the fan-out already fired.
Authorization
rsk_Bearer Rensei API key. Format: rsk_live_<random>. Generated in Settings or via POST /api/org/{orgId}/keys. Used by CLI (af), daemon, and programmatic integrations.
In: header
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/api/daemon/credentials/rotate" \ -H "Content-Type: application/json" \ -d '{ "orgId": "string", "kind": "string" }'{
"ok": true,
"kind": "string",
"sessionCount": 0,
"rotatedAt": "2019-08-24T14:15:22Z"
}{
"error": "Session not found"
}{
"error": "Session not found"
}{
"error": "Session not found"
}{
"error": "Session not found"
}{
"error": "Session not found"
}SSE stream for credential rotation events
Server-Sent Events stream. Emits `UPDATE` events when an upstream OAuth rotation occurs for the session's credentials. Keyed by `sessionId` query parameter.
List daemon mutation history for a host
List daemon mutation history for a host - Rensei REST API operation reference.