We’ve got a Genesys Cloud instance where the OTel exporter needs to rotate the OAuth client secret every 24 hours. The current setup uses the grant_type=client_credentials flow to get an access token for the Data Action calls.
The problem is the secret rotation itself. If I just update the secret in the developer console, the old secret becomes invalid immediately. Any active span propagation or in-flight Data Action calls that are still using the old token (which was issued with the old secret) will fail when they try to refresh or if the token expires before the new one is picked up.
Here’s the current flow in the Python SDK:
from pygenesys import GenesysClient
client = GenesysClient(
client_id='...',
client_secret='old_secret', # This needs to rotate
environment='mypurecloud.com'
)
I’m looking for a step-by-step code pattern to handle this without downtime. Ideally, I want to:
- Generate a new client secret.
- Update the OTel exporter config with the new secret.
- Wait for all active sessions using the old secret to finish.
- Deactivate the old secret.
But I’m not sure if the Genesys Cloud API supports having two active secrets simultaneously. If I try to get a token with the old secret after updating it, I get a 401 Unauthorized response.
Is there a way to keep both secrets active for a grace period? Or is there a specific API call to POST /api/v2/organizations or something similar that handles this handover? I’ve checked the docs but it’s not clear if there’s a “pending” state for secrets.
Also, how do I handle the token caching? If I have a cached token that’s still valid for another 50 minutes, do I need to force a re-auth with the new secret immediately, or can I wait for it to expire? Waiting for expiration means I’m using the old secret’s context, which might be a security risk if the old secret is compromised.
Any code examples or best practices for this rotation logic would be great. We’re using genesys-cloud-python v2.0.0.