Token rotation

Every custom integration is authenticated with a single token used as the HMAC signing key in both directions. This guide covers when and how to rotate it.

When to rotate

Suspected leak. A developer accidentally committed .env; a token appeared in a screenshot; an ex-employee with access leaves.
Scheduled hygiene. Quarterly is reasonable for production integrations. Quick "did anyone really need that token?" sanity check.
Token loss. You can't find the original token and need to re-establish access.

How rotation works

Rotation produces a new token and keeps the previous token valid for 24 hours. This window lets you:

Receive the new token from Studio.
Update BONDI_INTEGRATION_TOKEN in your secrets manager.
Redeploy your service.
Verify everything works.

Without this grace window, every rotation would cause downtime equal to your redeploy time (often minutes).

Lifecycle

T+0s    Rotate clicked in Studio → new token issued, previous token marked with 24h expiry
T+0s    Studio shows new token ONCE — copy it now, it cannot be retrieved later
T+0s    Bondi (sender) starts signing outbound action calls with the NEW token
T+0s    Bondi (receiver) accepts trigger emits signed with EITHER token
T+24h   Previous token expires; only the new one works

From your application's perspective

Outbound (your emit() calls): keep using the old token until you redeploy. Bondi receiver accepts both.
Inbound (Bondi calls your action endpoints): Bondi sends the NEW token from rotation moment. Your BondiGuard only knows about the OLD token until you redeploy.

⚠️ There's a window where action calls FROM Bondi can fail until your service has the new token. Plan rotations during low-traffic periods or when you can immediately redeploy.

How to rotate

Via Studio UI

Open the custom integration in your workspace's Studio.
Settings tab → "Rotate token".
Confirm. The new token is shown ONCE.
Copy and save it (1Password / Vault / Secrets Manager).

Via API (programmatic)

curl -X POST \
  -H "Authorization: Bearer ${YOUR_JWT}" \
  https://automation.heybondi.com/v1/workspaces/${WORKSPACE_ID}/integrations/custom-definitions/${SLUG}/rotate-token

Response includes:

{
  "slug": "my-crm",
  "token": "bnd_tok_...",
  "tokenWarning": "Save this token now — it cannot be retrieved again. Update BONDI_INTEGRATION_TOKEN in your environment. The previous token remains valid for 24 hours.",
  "previousTokenValidUntil": "2026-04-27T12:34:56.000Z"
}

Recommended deployment flow

Schedule rotation for off-peak hours.
Click "Rotate" in Studio. Save the new token.
Update secret manager with the new token.
Trigger redeploy of every service that has BONDI_INTEGRATION_TOKEN set:
- Backend NestJS app
- Webhook receivers
- Any worker/cron that emits triggers
Verify by emitting a test event and confirming the workflow runs.
Wait 24h. The old token auto-expires; you don't need to do anything.

What if I miss the 24h window?

If you don't redeploy within 24h, the old token expires and you'll see:

Inbound webhooks from Bondi: 401 — BondiGuard rejects (your service uses old token).
Outbound emits from your service: 401 — Bondi receiver rejects.

Recovery: rotate again. You'll get a new token and another 24h window. This is annoying but not catastrophic.

Frequently asked

Q: Can I rotate without grace? Currently no — the 24h grace is built in. If you need immediate revocation (e.g. confirmed compromise), contact support to wipe the previous credential immediately.

Q: Do my workflows need to be re-tested after rotation? No. The integration definition (services, actions, triggers, schemas) is unchanged. Only the HMAC key changes.

Q: Does rotation invalidate connection state in Bondi? No. The integration_connections row is updated in place; existing workflow node bindings still resolve to the same connection.

Q: How do I rotate in a multi-environment setup (dev, staging, prod)? Each environment uses its own integration with its own token. Rotate per-environment as needed.