Rotate a bound endpoint's label
Issues a fresh §9.3(b) label for the binding identified by (UUID from the mint response). The prior label is invalidated immediately. The new label is returned once; it is never logged. Returns only endpoint_id_label (connect_secret is not rotated; it stays fixed per binding).
{id} (the binding_id from
the bind response). The prior label is invalidated
immediately — a subsequent profile GET on the old label returns 404. Only
endpoint_id_label is returned; the connect_secret is not rotated (it stays fixed per
binding).
Rotate on your window cadence to keep the bound-resolver label short-lived. Because rotation is
atomic and the old label dies instantly, poll the new label before discarding the old one only
if you cannot tolerate a single missed cycle.
Worked example
sign_request / SignRequest helper is defined once in the
request-signing guide — its Python, Go, and curl+openssl
recipes are verified against this sandbox. Even an empty-body POST covers content-digest
(over the bytes {}).200 response (captured from the hosted sandbox):
iGrFqzp4…) now returns 404 on
GET /enforcement-profiles/{endpoint_id}.Path Parameters
Binding UUID from the mint response (binding_id).
Response
Rotated. New label replaces the prior one immediately.
Binding rotation result. Source: EndpointHandlers.Rotate response in internal/ocsshttp/handler_endpoints.go. Returns a fresh label only.
Rotated high-entropy §9.3(b) label. Replaces the prior label immediately; the prior label returns 404 after rotation. Never log.