We’re preparing to rotate our OAuth client secrets for the custom agent desktop widget built with the Embeddable Client App SDK. The goal is to avoid any service interruption during the switch. The standard approach suggests creating a new secret, updating the app config, and then disabling the old one. But I’m hitting a wall with how the SDK handles the token cache and refresh cycles.
Here’s the flow I’m testing:
- Generate new secret via
/api/v2/oauth/clients/{id}/secrets - Update environment variables in the host app
- Trigger a token refresh in the SDK
The issue is step 3. The SDK seems to hold onto the old access token until it expires, even if I force a logout/login cycle. When the old token expires, the refresh fails with invalid_grant because the old secret is still active but the SDK is trying to use the new one, or vice-versa depending on timing.
// Attempting to force refresh
await genesysCloud.logout();
await genesysCloud.login({
clientId: process.env.NEW_CLIENT_ID,
clientSecret: process.env.NEW_CLIENT_SECRET
});
This throws a 401 Unauthorized. The logs show the SDK is still trying to use the cached refresh token associated with the old secret. I’ve tried clearing the local storage manually, but that kicks the agent out entirely, which we want to avoid.
Is there a way to programmatically swap the credentials in the SDK without a full logout? Or is the only reliable method to schedule the rotation during a maintenance window? I need a step-by-step code example that handles the transition cleanly. The documentation is vague on the exact sequence of API calls needed to flip the switch without breaking active sessions.