How do I actually rotate the client secret in the integration without breaking active flows?
We have a custom middleware that handles the OAuth token refresh. The plan is to add the new secret to the integration config, wait for propagation, then remove the old one.
The problem is the scripts. We use GetRESTProxy to call our middleware. The middleware caches the token. If I rotate the secret at 2 AM, the middleware might still be holding a token generated with the old secret. Or worse, it tries to refresh with the old secret after I’ve already purged it from the integration.
Here is the flow I’m looking at:
- Add new client secret to the Integration via API.
- Wait X minutes.
- Remove old client secret.
I tried testing this in a dev environment. I added the new secret. Immediately removed the old one. The next token refresh attempt from my middleware failed with 401 Unauthorized. The error payload looked like this:
{
"code": "unauthorized",
"message": "Invalid client credentials"
}
It seems the platform took a bit longer to accept the new secret or the old one wasn’t fully deactivated in time for the cache to expire naturally.
Is there a specific endpoint to force a token invalidation? Or do I need to handle the rotation on the middleware side by keeping both secrets active for a window?
Also, does the GetRESTProxy action in cache the token locally on the CXone server side, or does it rely entirely on the target service’s response headers? If it’s server-side caching, I might need to restart the flow or wait longer.