> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dataraven.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Update Secret

> Update secret properties and/or rotate credentials.

**Required Role:** ADMIN or OWNER

**Updatable fields:**
- name: Rename the secret
- description: Update description
- secret_type: Change provider type (validates linked locations match)
- auth_method: Change auth mechanism (must be valid for secret_type)
- credentials: Rotate credentials (AWS SSM Parameter Store secrets only)
- field_mappings: Update vault references (external vault secrets only)

**Validation rules:**
- If changing secret_type, all linked locations must have matching location_type
- If changing auth_method, must be valid for the (new or existing) secret_type
- External vault secrets cannot have credentials updated (manage in your vault)
- AWS SSM Parameter Store secrets cannot have field_mappings updated (use credentials)
- Cannot provide both credentials and field_mappings in the same request

**Immutable field:**
- vault_connection_id (cannot change vault provider after creation)

**Security Note:** Credentials are stored encrypted in Vault.
The response will NOT include the credentials.



## OpenAPI

````yaml PATCH /v1/teams/{team_id}/secrets/{secret_id}
openapi: 3.1.0
info:
  title: Data Raven API
  description: Cloud-to-cloud data transfer platform powered by RClone
  version: 0.5.0
servers: []
security: []
paths:
  /v1/teams/{team_id}/secrets/{secret_id}:
    patch:
      tags:
        - Secrets
      summary: Update Secret
      description: >-
        Update secret properties and/or rotate credentials.


        **Required Role:** ADMIN or OWNER


        **Updatable fields:**

        - name: Rename the secret

        - description: Update description

        - secret_type: Change provider type (validates linked locations match)

        - auth_method: Change auth mechanism (must be valid for secret_type)

        - credentials: Rotate credentials (AWS SSM Parameter Store secrets only)

        - field_mappings: Update vault references (external vault secrets only)


        **Validation rules:**

        - If changing secret_type, all linked locations must have matching
        location_type

        - If changing auth_method, must be valid for the (new or existing)
        secret_type

        - External vault secrets cannot have credentials updated (manage in your
        vault)

        - AWS SSM Parameter Store secrets cannot have field_mappings updated
        (use credentials)

        - Cannot provide both credentials and field_mappings in the same request


        **Immutable field:**

        - vault_connection_id (cannot change vault provider after creation)


        **Security Note:** Credentials are stored encrypted in Vault.

        The response will NOT include the credentials.
      operationId: update_secret_v1_teams__team_id__secrets__secret_id__patch
      parameters:
        - name: secret_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
            title: Secret Id
        - name: team_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
            title: Team Id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SecretUpdate'
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SecretResponse'
        '400':
          description: Invalid update data
        '404':
          description: Secret not found
        '409':
          description: Secret with this name already exists
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
        '500':
          description: Failed to update secret
      security:
        - HTTPBearer: []
components:
  schemas:
    SecretUpdate:
      properties:
        name:
          anyOf:
            - type: string
              maxLength: 255
              minLength: 1
            - type: 'null'
          title: Name
        description:
          anyOf:
            - type: string
              maxLength: 2000
            - type: 'null'
          title: Description
        secret_type:
          anyOf:
            - $ref: '#/components/schemas/LocationType'
            - type: 'null'
          description: Change provider type
        auth_method:
          anyOf:
            - $ref: '#/components/schemas/AuthMethod'
            - type: 'null'
          description: Change auth mechanism
        credentials:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Credentials
          description: New credentials (AWS SSM Parameter Store only)
        field_mappings:
          anyOf:
            - items:
                $ref: '#/components/schemas/FieldMapping'
              type: array
            - type: 'null'
          title: Field Mappings
          description: Updated field mappings (external vault only)
      type: object
      title: SecretUpdate
      description: >-
        Schema for updating secret properties and/or rotating credentials.


        All fields are optional - only include fields you want to update.


        **Updatable fields:**

        - name: Rename the secret

        - description: Update description

        - secret_type: Change provider type (validates linked locations match)

        - auth_method: Change auth mechanism (validates it's valid for
        secret_type)

        - credentials: Rotate credentials (AWS SSM Parameter Store secrets only)

        - field_mappings: Update vault references (external vault secrets only)


        **Validation rules:**

        - If changing secret_type, all linked locations must have matching
        location_type

        - If changing auth_method, must be valid for the (new or existing)
        secret_type

        - If providing credentials, they are validated against the (new or
        existing) auth_method

        - External vault secrets cannot have credentials updated (manage in your
        vault)

        - AWS SSM Parameter Store secrets cannot have field_mappings updated
        (use credentials)

        - Cannot provide both credentials and field_mappings in the same update
    SecretResponse:
      properties:
        id:
          type: string
          format: uuid
          title: Id
        name:
          type: string
          title: Name
        description:
          anyOf:
            - type: string
            - type: 'null'
          title: Description
        secret_type:
          $ref: '#/components/schemas/LocationType'
        auth_method:
          $ref: '#/components/schemas/AuthMethod'
        created_at:
          type: string
          format: date-time
          title: Created At
        created_by:
          type: string
          format: uuid
          title: Created By
      type: object
      required:
        - id
        - name
        - description
        - secret_type
        - auth_method
        - created_at
        - created_by
      title: SecretResponse
      description: |-
        Schema for secret metadata response (without credentials).

        Credentials are NEVER returned in any API response.
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    LocationType:
      type: string
      enum:
        - s3
        - azure_blob
        - gcs
        - r2
        - b2
        - wasabi
        - railway
        - oracle_object_storage_s3
        - s3_compatible
        - tigris
        - digitalocean_spaces
        - hetzner
        - rabata
      title: LocationType
      description: Cloud storage provider types.
    AuthMethod:
      type: string
      enum:
        - s3_access_key
        - r2_access_key
        - wasabi_access_key
        - railway_access_key
        - oracle_object_storage_s3_access_key
        - s3_compatible_access_key
        - tigris_access_key
        - digitalocean_spaces_access_key
        - hetzner_access_key
        - rabata_access_key
        - azure_account_key
        - azure_sas_url
        - gcs_service_account
        - b2_application_key
      title: AuthMethod
      description: |-
        Authentication mechanism identifiers for cloud storage credentials.

        Each provider may support one or more authentication methods.
        Explicit names ensure clarity and make it easy to add new methods.
    FieldMapping:
      properties:
        field_name:
          type: string
          maxLength: 100
          minLength: 1
          title: Field Name
          description: Credential field name (e.g., access_key_id, secret_access_key)
        reference:
          type: string
          maxLength: 500
          minLength: 1
          title: Reference
          description: >-
            External vault reference (op:// URI for 1Password, secret name for
            Doppler/Infisical)
      type: object
      required:
        - field_name
        - reference
      title: FieldMapping
      description: |-
        Mapping from a credential field name to an external vault reference.

        For 1Password: references are op:// URIs (e.g., op://vault/item/field)
        For Doppler: references are secret names (e.g., AWS_ACCESS_KEY_ID)
        For Infisical: references are secret names (e.g., AWS_ACCESS_KEY_ID)
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
        input:
          title: Input
        ctx:
          type: object
          title: Context
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    HTTPBearer:
      type: http
      scheme: bearer

````