401 Unauthorized: Invalid client credentials. I am rotating the OAuth client secret for the PagerDuty integration webhook using the standard /api/v2/oauth/client/rotate endpoint. The rotation completes successfully and returns the new secret, but subsequent POST requests to PagerDuty fail with 401s for roughly 30 seconds. Here is the Python snippet I use to fetch the new token:
import requests
def refresh_oauth_token(client_id, new_secret, grant_type='client_credentials'):
url = 'https://api.mypurecloud.com/api/v2/oauth/token'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
body = f'grant_type={grant_type}&client_id={client_id}&client_secret={new_secret}'
response = requests.post(url, headers=headers, data=body)
return response.json()
Is there a propagation delay on the Genesys Cloud side for the new secret to become active in the OAuth service, or am I missing a cache invalidation step in the client code?
It’s worth reviewing at the timing between the secret rotation and the token request. The API returns the new secret immediately, but the token service might still be validating the old one during that 30-second window. Instead of rotating the secret directly via the API in your pipeline, consider using a double-secret strategy. Generate a new client ID/secret pair first, update your integration config to use it, verify it works, then delete the old one.
Here is a Pulumi TypeScript snippet to create a fresh OAuth client, which avoids the rotation race condition entirely:
import * as genesyscloud from "@genesyscloud/pulumi";
const newClient = new genesyscloud.platform.OauthClient("pagerduty-new", {
name: "PagerDuty Webhook",
redirectUris: ["https://hooks.pagerduty.com/genesys"],
grantTypes: ["client_credentials"],
scopes: ["webhook:write"]
});
export const clientId = newClient.clientId;
export const clientSecret = newClient.clientSecret;
Note: Always store the new secret in a secure vault immediately. The API response is the only place it appears in plaintext.