Zero-downtime OAuth client secret rotation for Genesys Cloud Data Actions

Is it possible to rotate OAuth client secrets without downtime for our Genesys Cloud Data Actions? We are migrating from Five9 and need a seamless transition.

Context:
Our Python service uses client credentials flow to fetch tokens for Data Actions. Updating the secret in the API immediately invalidates the old one, causing 401 Unauthorized errors during the switch.

Question:
What is the step-by-step code logic to support both old and new secrets simultaneously? Does Genesys Cloud allow dual-secret validation during rotation, or do we need a custom proxy layer?

This is actually a known issue with the strict validation on the Genesys side. You have to implement a dual-secret check in your Lambda handler where the new secret is validated first, then the old one, allowing a brief overlap period before revoking the old credential in the admin console.

const isValid = (secret) => secret === NEW_SECRET || secret === OLD_SECRET;