Rotate credentials

# Rotate credentials

Canonical: https://docs.flowrelay.app/setup/rotate-credentials/
Markdown: https://docs.flowrelay.app/setup/rotate-credentials.md

Rotate an endpoint secret deliberately. FlowRelay shows the new full secret once and never reveals the previous full secret.

## Steps
Complete these in order.
1. Open the endpoint detail page for the sender that needs a new secret.
2. Confirm the sender owner is ready to update their private configuration immediately after rotation.
3. Rotate the endpoint secret in FlowRelay and copy the new value only into the sender's private secret manager.
4. Confirm the sender no longer uses the previous secret because the old value stops working after rotation.
5. Send one synthetic test event and open the receipt to confirm authentication succeeds.
6. Share only the receipt outcome or diagnostics package if troubleshooting is needed. Do not paste the new secret, old secret, full auth header, or signature into support.

## When to rotate
Rotate when a secret may have been exposed, a partner no longer needs access, a sender changes ownership, or an operator wants a clean credential handoff.


## What changes
The endpoint URL stays the same. The endpoint secret changes, the new value is shown once, and later screens show only safe secret metadata such as the last four characters.


## Agent boundary
An authorized agent may prepare or execute a rotation only when the grant includes the required scope. It still cannot retrieve old secrets, Shopify tokens, session data, raw payloads, or database credentials.


## Related
- [Authenticate requests](https://docs.flowrelay.app/setup/authentication.md)
- [Read receipts](https://docs.flowrelay.app/operate/receipts.md)
- [Share diagnostics](https://docs.flowrelay.app/recover/diagnostics.md)

## Safety Boundary
Do not include raw payloads, endpoint secrets, auth headers, HMAC values, Shopify tokens, Shopify sessions, database URLs, customer data, merchant incidents, or copied private logs in public examples.