Trying to rotate the OAuth client secret for our production app without dropping any active connections. The docs say we can add a new secret, use it for new tokens, and then remove the old one. Sounds simple enough.
Here is the flow I am running:
- POST to /api/v2/oauth/clients/{id} to add
secret2to the list of secrets. - Wait 5 minutes (just to be safe).
- Start requesting tokens using
secret2. - Remove
secret1from the client config.
The problem happens in step 3. For about 30 to 60 seconds after adding the new secret, requests using secret2 return a 401 Unauthorized. The error payload is just {"error": "invalid_client"}.
We have a high-volume webhook listener that needs to refresh tokens continuously. If we switch secrets and get a burst of 401s, we miss events. I assumed the API would validate against the new secret immediately upon saving the client config.
Is there a caching layer on the auth service that causes this delay? Or am I missing a step in the rotation process? I tried calling the endpoint directly with curl to rule out SDK issues, same result.
curl -X POST https://api.mypurecloud.com/api/v2/oauth/token
-H “Content-Type: application/x-www-form-urlencoded”
-d “grant_type=client_credentials&client_id=xyz&client_secret=new_secret_value”
Response:
HTTP/1.1 401 Unauthorized
{“error”:“invalid_client”}
After about a minute, the same curl command works fine. This window of failure is unacceptable for our uptime SLA. How do others handle this? Is there a way to force a cache invalidation on the auth side?