Conjur HOST API Token rotation

Hi All,

Would like to know the best methods for rotating host API token frequently, can the host rotate itself the API token using API call to the master/ lead, can you suggest how to implement this requirement.



The host itself can rotate it’s own API key, using the Rotate Personal API Key endpoint.

Please let me know if this answers your question.

Hello Shlomo Heigh,

Thank you, here we have created a host and added to the layer under the policy, while trying to do getting “HTTP/1.1 401 Unauthorized” and below is the policy

Able to rotate the password even authenticated as admin user. Do I miss any privileges for the host here ?

  • !layer

  • &Application-resources

    • !host
      id: hostid-test
  • !grant
    role: !layer
    members: *Application-resources

So you’re logged in as hostid-test and are trying to rotate the api key using PUT /authn/{account}/api_key. Are you passing the hostid and current API key in the Authorization header using HTTP Basic Auth?

Yes, have authenticated as hostid-test using conjur-cli and trying to rotate its own API token.

Step1 : conjur authn login > use hostid-test login credentails

Step2 :
curl --request PUT --data “”
–user host/hostid-test:xxxxxxxxxxxx!

The code you show posted work, assuming that the host id is hostid-test and the current API key is xxxxxxxxxxxx!, and assuming https:///authn//api_key is actually https://<conjur_url>/authn/<account>/api_key. Can you please confirm those values?


Here are the things done,
Login as host identity through conjur-cli

$ conjur authn login
Enter your username to log into Conjur: host/xxxxx/hostid-test
Please enter your password (it will not be echoed):
Logged in

API call to change the API token,

$ curl -v --request PUT --data “”
–user host/axxxx/hostid-test:fjklaaaa!


< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Tue, 07 Mar 2023 08:07:37 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Frame-Options: SAMEORIGIN


Can you please confirm that the ! is part of the api key? The example in the documentation has an exclamation point in it but that’s meant to be part of the password or api key which should be replaced with the actual value.


Thanks alot and it has sorted the problem, I did added to the end of the password creating the problem.