> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Resuming a stale application

> Re-issue a client secret for a DRAFT application that the applicant returned to after the original secret expired.

Resume only matters when a browser is filling in the application — it exists to re-issue a client secret that has expired. Backend-only integrations don't issue a client secret in the first place; their bearer token is refreshed through the normal OAuth flow and there is nothing on this page to do.

A client secret has a finite lifetime (see [Expiry and refresh](/embedded-banking/guides/authentication/application-client-secret#expiry-and-refresh)). If an applicant walks away mid-application and comes back days later, the original secret has expired and the browser cannot continue. Resume re-issues a secret for a still-`DRAFT` application and delivers it to the applicant by email.

`POST /embedded-banking/v1/bank-account-applications/resume`

```bash title="Resume Request" lines theme={null}
curl -X POST 'https://api.sandbox.tesouro.com/embedded-banking/v1/bank-account-applications/resume' \
  -H 'Authorization: Bearer ACCESS_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{ "email": "applicant@example.com" }'
```

```json title="Response (200 OK)" lines theme={null}
{ "acknowledged": true }
```

The lookup matches `email` against the applicant's email on a `DRAFT` application owned by your credential's organization. If a match exists, a fresh client secret is generated, hashed and stored, and the plaintext is emailed to that address. The plaintext is never returned in the HTTP response — the resume call is a server-to-server trigger; the secret reaches the applicant only via the email channel.

## Always 200, by design

The response is always `{ "acknowledged": true }`, including when no matching application exists or the per-credential rate limit is exceeded. This prevents the endpoint from being used to enumerate applicant emails. A real applicant who does not receive the email should be retried after the rate-limit window or contacted out of band — the API will not tell you which case you are in.

## DRAFT only

Resume only works while the application is in `DRAFT`. Once submitted, there is nothing left for the browser to do, so there is no secret to re-issue.

<Note>
  The resume endpoint is the only way to recover access to a `DRAFT` application after the client secret has expired. The create endpoint does not return an existing application's secret a second time, and `GET` masks PII and never exposes the secret.
</Note>
