Credential rotation¶
Two flows: changing the current user's password (in-session) and rotating to a new identity (re-construct the client).
In-session password change¶
The SDK:
- Calls
PUT /users/me/passwordwith the old and new values. - On a 2xx, updates the in-memory password store and invalidates the cached token.
- Subsequent calls trigger a lazy re-login with the new password.
The application continues uninterrupted. No re-construction of
RtlsClient is needed.
Wrong-old-password handling¶
A wrong old password raises ValidationError (or AuthenticationError
depending on server response). Catch it at the call site:
from rtls_sdk import ValidationError
try:
client.auth.change_password(old_password="wrong", new_password="…")
except ValidationError:
log.warning("rejected: old password incorrect")
Rotating to a new identity¶
To switch which user the client speaks as, construct a new client:
old = RtlsClient.from_env()
old.close()
new = RtlsClient(username="new@example.com", password="…", base_url="…")
There's no client.login_as(...) shortcut — identities are bound at
construction so the audit trail (X-User-Email) is unambiguous.
Rotating tokens (BYO mode)¶
In BYO-token mode (see BYO token), the SDK can't refresh tokens on its own. When you receive a fresh token from your token issuer, construct a new client: