`POST /api/zsc/rotate/:name`

Manual IV rotation. Decrypts the current value, re-encrypts under a fresh 96-bit IV, writes back. Plaintext is unchanged — this is not a key rotation (for that, see Operate → ZSC Bootstrap).

Useful for:

Forcing a rotation event outside the daemon's 100-Zeqond cadence
Operator-driven re-encryption after a suspected ciphertext leak
Refreshing expires_zeqond proactively

The auto-rotation daemon does this automatically when expires_zeqond < currentZeqond(). This endpoint is the manual override.

Auth

Admin cookie (zeq_admin) required.

Path parameters

Param	Type	Notes
`name`	string	The vault key.

Request

curl -H "Cookie: zeq_admin=$ADMIN_JWT" \
     -X POST https://YOUR-FRAMEWORK/api/zsc/rotate/STRIPE_SECRET_KEY

No body required.

Response · 200 OK

{ "ok": true, "name": "STRIPE_SECRET_KEY", "rotated": true }

Errors

Status	`error`	Cause
`400`	`name required`	Empty path segment.
`401`	`unauthorized`	Admin cookie missing/invalid.
`404`	`NOT_FOUND`	No row with this `name`.
`500`	`INTERNAL_ERROR`	DB or encryption error.

Audit row

transition_type = "secret_rotated"
actor_zid       = <the admin's ZID>
payload_json    = { name, purpose: "manual_rotated" }
proof_digest    = SHA-256(name | actor_zid | transition_id | "manual_rotated")

The daemon's auto-rotations use purpose: "auto_rotated" — distinguishable in the entangled state.

POST /api/zsc/set — replace the plaintext entirely (also rotates the IV)
Operate → ZSC Bootstrap — master-key rotation procedure
Rotation daemon source — the 100-Z auto-rotation loop

Auth​

Path parameters​

Request​

Response · 200 OK​

Errors​

Audit row​

Related​