We’re trying to rotate our OAuth client secrets in the Genesys Cloud Developer Console without taking down our internal monitoring tool. The docs suggest you can add a new secret while the old one is still active, then update the app config. Sounds simple enough. In practice, it’s a mess.
I added a second secret to the client credentials grant. My Python script fetches a new token using the fresh secret. That part works. The 200 OK comes back with a valid access token. But here’s the weird part. The tokens generated with the new secret seem to have a shorter lifespan than the ones from the old secret. Or maybe the cache isn’t invalidating correctly. I’m seeing 401 Unauthorized errors on requests that should be valid for another 35 minutes. The error payload is standard, no hints about secret rotation.
Here’s the token refresh logic:
def get_token(client_id, client_secret):
url = "https://login.mypurecloud.com/oauth/token"
payload = {
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(url, data=payload, headers=headers)
return response.json()["access_token"]
I’m calling this every hour. The token expires in 40 minutes. I’m getting 401s at minute 25. Only when I use the old secret. The new secret tokens work fine until they expire naturally. It’s like the old secret tokens are being flagged as compromised the moment the new one is added. Or maybe the clock skew on the auth server is acting up. We’re in Europe/Berlin, so timezone shouldn’t matter for the API, but who knows.
Is there a specific header I need to send? Or a delay required between adding the secret and using it? The documentation is silent on this. I’ve checked the audit log, nothing stands out. Just the usual token issuance events. This is blocking our security compliance scan. Need to know if this is a known bug or if I’m missing a step.