Reconnect App

Reconnect an integration app with new credentials (the credential-rotation path); the request app_class_id must match the existing app. Like connect, the app either connects in-band or awaits browser consent in the Lumos UI. If a sync is already in flight, the request is throttled with 429 and a Retry-After header.

Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…
Path Params
string
required
Body Params
string
required

Canonical identifier of the integration to connect, e.g. okta.com. Determines the credentials and settings the integration expects. Must be an integration Lumos supports for your domain; an unknown value is rejected with 400. Required — omitting it fails request validation with 422.

settings
object

Non-secret configuration as a JSON object — e.g. host, port, region, or tenant / instance URL. Carries the per-deployment tuning an integration needs that isn't a credential; the accepted keys vary by integration and some integrations need none. Integrations whose tenant is set manually take it here as app_instance_identifier (e.g. an Okta domain); others derive it from the credentials during connect. Discover the accepted keys via GET /v1/integrations/{app_class_id}/connection-schema. Optional — defaults to an empty object.

auth
object

Credentials as a JSON object. All secrets go here — there are no top-level credential fields. The accepted keys depend on the integration and are validated server-side; see the per-integration request examples. Discover the accepted keys for a given app via GET /v1/integrations/{app_class_id}/connection-schema. Some integrations connect in-band from these credentials (e.g. an api_key, or an OAuth client_id/client_secret). Others require browser consent and are finished in the Lumos UI — for those, auth may be empty ({}). Missing or wrong-shaped credentials are rejected with 400; credentials the third party rejects return 502.

Optional integration version override. Pins the connection to a specific integration implementation/version instead of the current default — used for staged rollouts and back-compat. Leave unset (null) to use the default version, which is correct for nearly all callers; an unregistered version is rejected with 400.

Responses

400

Bad request — the request could not be processed. Common causes: missing or malformed credentials, an unknown app_class_id, or an invalid configuration value. See the detail field for the specific reason.

403

Forbidden — the caller lacks permission to manage apps on this domain.

404

Not found — no app with this id in your domain.

409

Conflict — the app is not managed via the API (connection_source is not API), so it cannot be reconnected here.

429

Too many requests — a sync is already in flight for this app. Includes a Retry-After header (seconds).

501

Not implemented — this app does not support the requested operation.

502

Bad gateway — the third-party service rejected the credentials, or the post-reconnect sync failed.

Language
Credentials
Bearer
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json