API clients for the external API automatically have a client_id and client_secret generated upon creation.
The client_id and client_secret remain the same for the life of the API client. This means that if the client_secret were ever publicly exposed, it required the API client to be deleted and recreated.
The Rotate client secret action gives the ability for the client_secret to be regenerated. This not only re-generates the client_secret but also removes any API tokens that were previously generated using it.
How to Rotate client secret
In a Totara site with the external API enabled, you can select Rotate client secret when viewing an API client.
Navigate to the API client page Quick access menu > Development > API > API clients.
From the API clients page select the three dots (
) for the API client.From the menu, select Rotate client secret.
A confirmation pop-up is displayed displaying the number of active API tokens currently in use. Selecting Cancel will close the pop-up and the Client secret will remain the same. When Rotate is selected, the Client secret is regenerated, and existing active tokens are removed.
The Client secret field will now show the new client secret value.
Note: Any external service using the specified external API client will need to be updated to use the new client secret in order to continue functioning correctly. Any services that use the previous client secret will receive an error when they attempt to make a request to the API client.
Join the Totara Community for more resources to help you get the most out of Totara.
© Copyright 2026 Totara Learning Solutions. All rights reserved.