Rotate Internal Credentials

  • reference
    Credentials used for Couchbase-Server internal users can be rotated at any time, on a specified node, by means of the REST API.

    HTTP Method and URI

    POST /node/controller/rotateInternalCredentials


    Rotates, on the specified node. all credentials used for Couchbase-Server internal users. Internal users include @eventing, @cbq-engine, @ns_server, @index, @projector, @goxdcr, @fts, and @cbas.

    Note that these internal credentials are already rotated automatically, by default, in accordance with the interval specified by the intCredsRotationInterval parameter of POST /settings/security/ (described in Configure On-the-Wire Security). However, the POST /node/controller/rotateInternalCredentials method and URI additionally permit the credentials to be rotated immediately, in the event of a security breach.

    Curl Syntax

    curl -X POST -u <username>:<password>


    If successful, the method gives 200 OK, and returns an empty array.

    An incorrect URI gives 404 Object Not Found. Failure to authenticate gives 401 Unauthorized. An improper port number returns an error message such as Failed to connect, or Port number out of range.


    The following immediately rotates credentials for all Couchbase-Server internal users on localhost:

    curl -X POST http://localhost:8091/node/controller/rotateInternalCredentials \
    -u Administrator:password

    If successful, the call returns an empty array. Note that completing rotation of the credentials may take some time.

    See Also

    Information on establishing and retrieving cluster-wide settings for the use of encryption and cipher-suites is provided in Configure On-the-Wire Security.