SSE stream for credential rotation events
Server-Sent Events stream. Emits `UPDATE` events when an upstream OAuth rotation occurs for the session's credentials. Keyed by `sessionId` query parameter.
Authorization
rsk_Bearer Rensei API key. Format: rsk_live_<random>. Generated in Settings or via POST /api/org/{orgId}/keys. Used by CLI (af), daemon, and programmatic integrations.
In: header
Query Parameters
Response Body
text/event-stream
application/json
curl -X GET "https://example.com/api/daemon/credentials/rotate-stream?sessionId=string""string"{
"error": "Session not found"
}Resolve credential env map for a session
Called by the host daemon at session spawn to obtain the merged environment variable map for the agent. The `orgId` in the body must match the authenticated org (cross-tenant guard). Audit event emitted asynchronously (does not include secret values).
Trigger credential rotation fan-out
Called by the operator (CLI or admin UI) after rotating an upstream credential (Vault, 1Password, encrypted DB row, …). Re-resolves the `(orgId, kind)` tuple via the credential provider registry and fans the fresh value out to every live `rotate-stream` SSE subscriber for that org. Zero live subscribers is not an error. Auth: `Bearer rsk_*` via `getCliOrSessionAuth`. The `orgId` in the body must match the authenticated org. For `session` / `user_token` auth the caller must have `admin` or `owner` role; for `api_key` auth the cross-tenant guard is sufficient. The audit write is deferred (`after()`) and failures are non-fatal - the fan-out already fired.