> ## Documentation Index
> Fetch the complete documentation index at: https://docs.poolside.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Reconfigure OIDC for a tenant
> Update the OIDC configuration for an existing Poolside deployment.
## Overview
Use this guide to update the OIDC configuration of an existing Poolside deployment. Common reasons to reconfigure include:
* The OIDC client secret expired, or your identity provider rotated it.
* The Poolside deployment hostname changed, so the redirect URL no longer matches the identity provider configuration.
* The OIDC issuer URL or client ID changed.
You can use the `reconfigure-tenant` command to update one OIDC field or several fields in a single reconfiguration. When you update the client secret, Poolside re-encrypts it at rest.
This guide does not cover initial OIDC configuration. For the initial OIDC application setup in your identity provider, see [OIDC authentication](/deployment/oidc-for-entra-id).
## Prerequisites
* `kubectl` access to the cluster running Poolside, with permission to exec into pods in the `poolside` namespace.
* The new OIDC values you want to apply: issuer URL, client ID, client secret, or redirect URL.
## Steps
1. The `reconfigure-tenant` command requires the tenant ID as a positional argument. Find the tenant ID from the auth API or directly from Postgres.
1. If the Poolside deployment is reachable from your workstation, query the `tenant-login-options` endpoint with any valid Poolside user email. URL-encode the `@` as `%40`.
```bash theme={null}
curl -ks -X 'GET' 'https:///v0/auth/tenant-login-options?email=' -H "Content-Type: application/json" | jq -r '.tenants[0].id'
```
Example output:
```text theme={null}
123e4567-e89b-12d3-a456-426614174000
```
2. Copy the `uuid` value to use it as ``.
1. Exec into the `postgres-0` pod and open a `psql` session:
```bash theme={null}
kubectl -n poolside exec -it postgres-0 -- psql -U poolside -d poolside
```
2. Query the `tenant` table:
```sql theme={null}
select id, uuid from tenant;
```
Example output for a single-tenant on-premises deployment:
```text theme={null}
id | uuid
----+--------------------------------------
1 | 123e4567-e89b-12d3-a456-426614174000
(1 row)
```
3. Copy the `uuid` value to use it as ``.
4. Exit `psql` with `\q`.
2. Exec into a `core-api` pod and run the `reconfigure-tenant` command with the flags you want to change. Include at least one OIDC flag.
The `reconfigure-tenant` command supports the following flags:
* `--oidc-client-id`: OIDC client ID.
* `--oidc-client-secret`: OIDC client secret. Poolside encrypts this value at rest.
* `--oidc-issuer`: OIDC issuer URL.
* `--oidc-redirect-url`: OIDC redirect URL.
```bash title="Command syntax" theme={null}
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant [flags]
```
To rotate the client secret only:
```bash title="Example: Rotate the client secret" theme={null}
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant --oidc-client-secret ''
```
To update multiple fields in one command:
```bash title="Example: Update multiple OIDC fields" theme={null}
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant --oidc-issuer '' --oidc-client-id '' --oidc-client-secret '' --oidc-redirect-url 'https:///auth/callback'
```
On success, the command prints:
```text theme={null}
Tenant reconfigured.
```
Passing an empty string to any `--oidc-*` flag is rejected. Quote secrets with single quotes to avoid shell expansion of special characters.
3. Verify the change.
Sign in to Poolside at `https://` and complete the OIDC flow. A successful sign-in confirms the new configuration is in effect.
If sign-in fails, check `core-api` logs for the OIDC error returned by the identity provider:
```bash theme={null}
kubectl -n poolside logs -l app.kubernetes.io/name=core-api --tail=200
```