We’re trying to rotate our OAuth client secrets in Genesys Cloud without causing a downtime window for our custom agent desktop apps. The standard docs suggest creating a new client, but that breaks existing sessions immediately if we switch over.
I’ve tried using the /api/v2/oauth/clients endpoint to update the secret directly, but I’m getting a 405 Method Not Allowed when I attempt a PATCH request on the existing client ID. The API reference says you can’t modify the secret of an active client.
Here’s the flow I’m testing:
- Create a new client with the same scopes.
- Update our config store to point to the new client ID.
- Revoke the old client.
The issue is step 2. Agents currently have valid access tokens generated by the old client. When the config switches, their tokens are still valid for a few hours, but new auth attempts fail because the app hasn’t fully re-initialized with the new client context.
Is there a way to use the grant_type=refresh_token with the new client ID immediately? Or do we have to force a logout across all clients? I’ve been digging through the OAuth specs but can’t find a smooth handoff pattern for this specific scenario.