Rotate AceDataCloud Platform API Credential

Reissue a new Token for an existing credential—the credential ID remains unchanged, limits/expiration/IP whitelist/call history remain unchanged, only the Token plaintext is changed.

Suitable scenarios: suspicion of Token leakage, regular compliance rotation, personnel departure, etc. It is more convenient than "delete and recreate" because there is no need to change the application_id association on the business side.

⚠️ Like the create interface, the complete Token plaintext is only returned once in the response of this interface. Be sure to save it on the spot.

ℹ️ This interface belongs to the AceDataCloud Platform Management API, with a unified prefix of https://platform.acedata.cloud/api/v1/.

Interface Overview

Item Content
Method POST
URL https://platform.acedata.cloud/api/v1/credentials/{credential_id}/rotate/
Auth ✅ Requires account token
Body None / {}

Authentication Description (How to Obtain Account Token)

Request Header:

Authorization: Bearer platform-v1-92eb****629c

For obtaining methods, see Manage AceDataCloud Platform Account Token.

Path Parameters

Parameter Type Required Description
credential_id UUID The ID of the credential to rotate

Request Example

cURL

curl -X POST 'https://platform.acedata.cloud/api/v1/credentials/df3e1b1b-9e72-4c4f-9a83-1e23f7c8b4d6/rotate/' \
  -H 'accept: application/json' \
  -H 'authorization: Bearer platform-v1-92eb****629c'

Python

import requests

cred_id = "df3e1b1b-9e72-4c4f-9a83-1e23f7c8b4d6"
resp = requests.post(
    f"https://platform.acedata.cloud/api/v1/credentials/{cred_id}/rotate/",
    headers={
        "accept": "application/json",
        "authorization": "Bearer platform-v1-92eb****629c",
    },
    timeout=10,
)
cred = resp.json()
print(f"✅ New Token: {cred['token']}")
print(f"Credential ID remains unchanged: {cred['id']}")

Node.js

const credId = 'df3e1b1b-9e72-4c4f-9a83-1e23f7c8b4d6'
const r = await fetch(
  `https://platform.acedata.cloud/api/v1/credentials/${credId}/rotate/`,
  {
    method: 'POST',
    headers: { authorization: 'Bearer platform-v1-92eb****629c' },
  }
)
const cred = await r.json()
console.log('New Token:', cred.token)

Response Example (HTTP 200)

{
  "id": "df3e1b1b-9e72-4c4f-9a83-1e23f7c8b4d6",
  "user_id": "89518d07-5560-4b05-92c1-667f3ddf6a4b",
  "application_id": "82f57141-2323-4453-8730-60f7d833a2da",
  "name": "production-server-01",
  "token": "ac9999999999999999999999999999ffff",
  "amount": 50.0,
  "used_amount": 12.34,
  "remaining_amount": 37.66,
  "disabled": false,
  "expired_at": "2026-12-31T23:59:59Z",
  "tags": ["prod"],
  "metadata": null,
  "client_ip_allowlist": ["203.0.113.7/32"],
  "used_at": "2026-04-26T08:30:00Z",
  "created_at": "2026-04-26T07:55:00Z",
  "updated_at": "2026-04-26T10:12:00Z"
}

Note that the id remains unchanged, and the token has been replaced with a new value. The old Token immediately becomes invalid at the moment of rotation.

Error Handling

HTTP Code Meaning
401 not_authenticated Missing account token
403 permission_denied The credential does not belong to you
404 not_found Credential does not exist or has been deleted

Practical Tips

  • Rotation is an atomic operation: The new Token is effective when the response is returned, and the old Token is already invalid. There is no transitional period where two Tokens are valid simultaneously.
  • Zero-downtime rotation: Treat "the caller retries once with the new Token" as an emergency fallback—such as embedding "401 → fetch the latest Token → retry" into the business client.
  • Do not rotate without the ability to immediately update the business-side Token: The old Token will become invalid immediately. If the business side cannot quickly change the Token, first use disabled=true to soft shut down (PATCH is not currently open, deletion can be used).
  • Rotation does not affect: limits (amount), expiration time (expired_at), IP whitelist, call history, tags, metadata.