# `mix relyra.metadata.pin`
[🔗](https://github.com/szTheory/relyra/blob/v1.1.0/lib/mix/tasks/relyra.metadata.pin.ex#L1)

Pins a SHA-256 trust fingerprint onto a connection's metadata source.

Used by IaC adopters (Terraform / Pulumi) and operators who manage
trust state via scripts. The admin LiveView fingerprint UX (deferred
to v0.6) shares the same underlying changeset
(`MetadataSource.auto_refresh_changeset/2`) so the two paths cannot
drift.

    mix relyra.metadata.pin <connection_id> --fingerprint <sha256_hex> --repo MyApp.Repo

Multiple `--fingerprint` flags may be supplied in one invocation
(rotation window — D-17 multi-valued anchor).

Operator MUST verify the fingerprint out-of-band before running this
command. The fingerprint is the SHA-256 of the IdP's signing-cert
(lowercase hex, no colons), computed via:

    openssl x509 -in metadata-signing.pem -outform DER \
      | openssl dgst -sha256 \
      | tr 'A-F' 'a-f'

The pin REPLACES the source's `metadata_trust_fingerprints` array.
Supply every currently-pinned fingerprint plus the new one to extend
(this matches the "explicit always" Relyra strict-defaults principle).

---

*Consult [api-reference.md](api-reference.md) for complete listing*