Hey folks,
We’re trying to rotate our OAuth client secrets for a background service that polls the /api/v2/… endpoints every 15 minutes. The usual docs just say ‘update the secret and restart,’ but that means downtime, which is a no-go for us during business hours.
I’m thinking of doing a dual-secret setup where we keep the old secret active while the new one is provisioned. Is there a way to have both secrets valid simultaneously? Or is there a specific API call to swap them atomically?
Here’s the flow I’m testing:
- Generate new secret via
POST /api/v2/oauth/clients/{id}/secrets - Update our config with the new secret
- Wait for the old one to expire?
The problem is step 3. If I revoke the old one too soon, the in-flight requests using the cached token fail with a 401. If I wait, we have two active secrets, which feels messy.
Has anyone scripted this rotation? I’d love to see how you handle the token cache invalidation without killing the connection pool. Right now my Python script just crashes when the old token dies mid-poll.