> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate credentials



## OpenAPI

````yaml /products/link/openapi.yaml post /api/admin/backends/{id}/rotate-credentials
openapi: 3.0.0
info:
  description: >-
    Admin API for managing Link protocols and backends (Bundled and Standalone
    editions).
  title: Link API
  version: '1.0'
servers:
  - url: https://{instance}.{env}.on-hellgate.cloud
    description: Managed instance of Link
    variables:
      instance:
        default: my-instance
        description: Your unique instance slug, provided during onboarding.
      env:
        default: eu1
        description: Deployment environment (currently eu1).
security: []
tags: []
paths:
  /api/admin/backends/{id}/rotate-credentials:
    post:
      tags:
        - Backends
      summary: Rotate credentials
      operationId: backends_rotate_credentials
      parameters:
        - description: ''
          in: path
          name: id
          required: true
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BackendCredentialsRotateRequest'
        description: Credential rotation
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BackendDetail'
          description: Backend updated
        '401':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
          description: Unauthorized
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
          description: Forbidden
        '404':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
          description: Not found
        '422':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationErrors'
          description: Validation error
      callbacks: {}
      security:
        - bearerAuth: []
components:
  schemas:
    BackendCredentialsRotateRequest:
      properties:
        credentials:
          $ref: '#/components/schemas/BackendCredentials'
      required:
        - credentials
      title: BackendCredentialsRotateRequest
      type: object
    BackendDetail:
      properties:
        auth_pipeline:
          $ref: '#/components/schemas/AuthPipeline'
        connections:
          additionalProperties:
            $ref: '#/components/schemas/ConnectionConfig'
          description: Map of action keys to connection configurations
          type: object
        enabled:
          type: boolean
        encryption:
          $ref: '#/components/schemas/EncryptionConfig'
        host:
          type: string
        id:
          type: string
        inserted_at:
          format: date-time
          type: string
        name:
          type: string
        protocol:
          type: string
      title: BackendDetail
      type: object
    Error:
      description: Generic error response.
      properties:
        classifier:
          example: NOT_FOUND
          type: string
        code:
          example: 404
          type: integer
        message:
          example: The requested resource does not exist
          type: string
      required:
        - classifier
        - code
        - message
      title: Error
      type: object
    ValidationErrors:
      description: Response shape for request validation failures.
      properties:
        classifier:
          example: VALIDATION_ERROR
          type: string
        code:
          example: 422
          type: integer
        validation_errors:
          items:
            properties:
              message:
                example: url is required
                type: string
              path:
                example: url
                nullable: true
                type: string
            type: object
          type: array
      required:
        - classifier
        - code
        - validation_errors
      title: ValidationErrors
      type: object
    BackendCredentials:
      description: >-
        Credential material for the auth pipeline. Shape is determined by
        `auth_pipeline.source_type` and `auth_pipeline.credential_type`.
      oneOf:
        - properties:
            password:
              type: string
            username:
              type: string
          required:
            - username
            - password
          title: InlineBasicCredentials
          type: object
        - properties:
            token:
              type: string
          required:
            - token
          title: InlineBearerCredentials
          type: object
        - properties:
            key_id:
              type: string
            shared_secret:
              description: Base64-encoded secret
              type: string
          required:
            - key_id
            - shared_secret
          title: InlineHmacCredentials
          type: object
        - properties:
            vault_path:
              description: >-
                Vault KV v2 path, e.g. `secret/data/credentials/my-backend`. The
                secret must contain the inline credential fields for the chosen
                auth pipeline type.
              type: string
          required:
            - vault_path
          title: VaultCredentials
          type: object
      title: BackendCredentials
    AuthPipeline:
      properties:
        date_header:
          description: Header name for the date value
          type: string
        extra_headers:
          additionalProperties:
            type: string
          description: Additional headers appended to requests
          type: object
        header_values:
          additionalProperties:
            type: string
          description: Static header values
          type: object
        method:
          description: HTTP method override (default POST)
          type: string
        signed_headers:
          description: Headers to include in HMAC signature
          items:
            type: string
          type: array
        token_prefix:
          description: >-
            Token prefix for bearer auth (default: "Bearer", use "token" for
            Ravelin)
          type: string
        type:
          description: Authentication strategy
          enum:
            - hmac_sha256
            - basic
            - bearer
          type: string
      required:
        - type
      title: AuthPipeline
      type: object
    ConnectionConfig:
      description: >-
        Configuration for a single connection. Must have either mocks or live
        mapping (endpoint/request_mapping/response_mapping).
      properties:
        endpoint:
          additionalProperties: true
          description: Live endpoint configuration
          type: object
        mocks:
          description: Mock response definitions
          items:
            additionalProperties: true
            type: object
          type: array
        request_mapping:
          $ref: '#/components/schemas/RequestMapping'
        response_mapping:
          $ref: '#/components/schemas/ResponseMapping'
      title: ConnectionConfig
      type: object
    EncryptionConfig:
      description: >-
        Optional per-backend message-level encryption (MLE). When set, the
        mapped request body is JWE-encrypted before dispatch and the response
        body is decrypted before response mapping. Key material is managed via
        /api/admin/keys.
      nullable: true
      properties:
        algorithm:
          description: JWE key-management algorithm (JOSE `alg`).
          example: RSA-OAEP-256
          type: string
        encryption_method:
          description: JWE content-encryption algorithm (JOSE `enc`).
          example: A256GCM
          type: string
        extra_header_claims:
          description: Additional JOSE header claims to include (currently supports `iat`).
          items:
            enum:
              - iat
            type: string
          type: array
        mode:
          description: >-
            Envelope mode. `whole_body` wraps the entire JSON body in
            `{request_field: <JWE>}`.
          enum:
            - whole_body
          type: string
        request_field:
          description: >-
            Envelope field name for the outbound JWE (default
            `encryptedRequest`).
          example: encryptedRequest
          type: string
        request_key_kid:
          description: '`kid` of an encryption key with purpose `encrypt_request`.'
          type: string
        response_field:
          description: >-
            Envelope field name for the inbound JWE (default
            `encryptedResponse`).
          example: encryptedResponse
          type: string
        response_key_kids:
          description: >-
            Ordered list of `kid`s (purpose `decrypt_response`) tried in order
            when decrypting responses. Allows rotation overlap.
          items:
            type: string
          type: array
      required:
        - mode
        - algorithm
        - encryption_method
        - request_key_kid
        - response_key_kids
      title: EncryptionConfig
      type: object
    RequestMapping:
      description: >-
        Template-shaped request mapping. Both `body` and `headers` carry
        template strings resolved against the caller's invoke body and headers
        at runtime.
      properties:
        body:
          additionalProperties: true
          description: >
            Recursive object mirroring the backend's expected request body.
            Leaves

            are plain JSON values: strings carry the mustache-style template
            grammar

            (`{{ $req.body.x | filter }}`), other primitives are literals. See

            `Link.Mapping.Parser` for the full grammar and filter catalogue.
          type: object
        headers:
          additionalProperties:
            type: string
          description: >
            Outbound HTTP headers, keyed by header name. Each value is a
            template

            string that must resolve to a scalar coercible to a string.
            Auth-pipeline

            headers (HMAC `Digest`, etc.) override mapped headers on conflict.
          type: object
      title: RequestMapping
      type: object
    ResponseMapping:
      additionalProperties:
        properties:
          body:
            additionalProperties: true
            description: >
              Recursive template; leaves are plain JSON values where strings
              follow the

              mustache-style template grammar. Response templates may reference
              all

              four scoped roots: `$req.body.*`, `$req.header.*`, `$res.body.*`,
              and

              `$res.header.*`.
            type: object
          return:
            description: Protocol HTTP status code to return to the caller.
            type: string
        required:
          - return
          - body
        type: object
      description: >-
        Map of backend HTTP status patterns (`201`, `4xx`, `default`, ...) to
        response rules. Each rule has a `return` (the protocol HTTP status to
        return to the caller) and a `body` template that produces the
        protocol-shaped response.
      title: ResponseMapping
      type: object
  securitySchemes:
    bearerAuth:
      bearerFormat: JWT
      scheme: bearer
      type: http

````