Hey everyone. I am working on a security requirement where we need to rotate the client secret for our OAuth confidential client every 30 days. The client is used exclusively by our custom Embeddable Client App SDK (JavaScript/React wrapper) to authenticate agents. The current setup works fine for initial logins, but the rotation process is causing issues for agents who are already logged in and have long-running interactions.
The goal is zero downtime. When the backend rotates the secret, the old secret should still be valid for existing refresh tokens, or the SDK should handle the transition gracefully without forcing a hard logout. I am trying to figure out if Genesys Cloud supports a grace period for old secrets or if I need to implement a specific double-submit pattern in the SDK auth flow.
Here is what I have tried so far:
- Generated a new client secret via the API (
PUT /api/v2/oauth/clients/{clientId}) and updated the new secret in our secret manager. - Kept the old secret active in the Genesys admin console for a 24-hour overlap period.
- Updated the SDK configuration to use the new secret for new login attempts.
- Observed that agents with active sessions using the old secret start getting
401 Unauthorizederrors on their refresh token calls (POST /api/v2/oauth/token) after a few minutes, even though the old secret is technically still valid in the admin UI.
The SDK throws an error like this:
Error: Authentication failed. The client secret is invalid or expired.
// Stack trace points to the refresh token interceptor
I am confused because the documentation implies that refresh tokens are long-lived and should work until they expire, regardless of the client secret change. Is there a specific API call or SDK method I am missing to ensure the old refresh tokens remain valid during the transition? Or do I need to force a re-authentication cycle programmatically when the secret changes?
I am using the latest version of the genesyscloud-webmessaging-sdk and the standard genesyscloud-platform-client-sdk-javascript. Any insights on how to handle this rotation without disrupting the agent desktop experience would be appreciated.