---

8.5 Rotating the bearer token ¶

Whenever you suspect the token has leaked — a screenshot leaked, a URL with ?token= ended up somewhere public, a connector got shared — rotate it:

1. Generate a new token: openssl rand -hex 32.
2. Update OWNSONA_API_TOKEN in src/main/backend/application.ini.
3. Rebuild and redeploy: ./bld -v build && ./bld war && sudo cp work/Kiss.war /home/ownsona/tomcat/webapps/ROOT.war.
4. Update every client (ChatGPT connector URL, Claude config, your scripts, CLI config files).

There is no dual-token grace window. Clients see 401 until they update. For a single-user store this is fine; do it after-hours.