Rotate Access Code
POST
/web/v1/workspaces/{workspaceId}/institutions/{institutionBizId}/portals/portal-types/{portalType}/access-code/rotateWEBRotates the access code for the specified portal type. A new code is generated while the old code remains valid during a transition period.
Authentication
Requires a valid JWT token. Gateway validation: enableJwtToken=true, enableTurnstile=false.
Request Parameters
Path Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
workspaceId | string | Yes | path | Workspace business ID |
institutionBizId | string | Yes | path | Institution business ID |
portalType | integer | Yes | path | Portal type code (e.g., 10010101=system, 10010102=tenant) |
Success Response
Success200
{
"code": "2000",
"message": "SUCCESS",
"data": {
"accessCode": "pac_xxxx5678efgh",
"institutionBizId": "inst_abc123",
"portalType": 10010102,
"expiresAt": "2026-06-21T00:00:00Z",
"rotatingCode": "pac_xxxx1234abcd",
"rotatingCodeExpiresAt": "2026-03-28T00:00:00Z"
}
}Error Responses
| Code | Description |
|---|---|
4010 | Unauthorized (invalid or missing JWT token) |
4040 | Portal or access code not found |
Notes
- During rotation, both the new primary code and the old rotating code are valid.
- The
rotatingCodewill expire atrotatingCodeExpiresAt, after which only the new primary code is valid. - This enables zero-downtime access code rotation for clients.