Connect Secret
Each tunnel has a connect_secret that your agent presents when opening its persistent connection. The secret is shown once at tunnel creation. If you lose it or suspect it's been compromised, rotate it.
Rotate connect secret POST
POST /tunnels/{tunnel_id}/rotate-secretGenerate a new connect_secret for this tunnel. The new secret is shown once in the response — store it securely.
Existing live connections are not actively kicked off. They keep serving traffic until the agent reconnects (idle drop, deploy, restart), at which point the old secret is rejected and the agent must present the new one. To cut over hard, restart your agent immediately after rotating.
Rate-limited to 5 successful rotations per tunnel per day.
Path parameters
| Parameter | Type | Description |
|---|---|---|
tunnel_id | UUID | Tunnel ID |
Response (200)
JSONError responses
| Status | Description |
|---|---|
| 404 | Tunnel not found in your organization |
| 429 | Daily rotation rate limit exceeded |
Code examples
cURL