Trying to rotate our OAuth client secrets without dropping active webhooks. The docs say you can maintain two active secrets, but my integration is choking on the switch. I’ve got Client A (old secret) and Client B (new secret) configured in GC. I’m pulling the token via a standard POST to /oauth/token with client credentials.
The flow looks like this:
- Client A still works fine.
- Client B gets a valid 200 OK and a fresh access token.
- I immediately use that token to hit
/api/v2/webhooksto verify delivery. - Result: 401 Unauthorized.
Here’s the token request payload I’m sending for Client B:
{
"grant_type": "client_credentials",
"client_id": "<new-client-id>",
"client_secret": "<new-client-secret>"
}
The token response is clean. No errors there. But the subsequent API call fails. I’ve checked the webhook endpoint config-it’s set to use the same platform org. I’ve tried waiting 5 minutes between rotation and testing, thinking maybe there’s a cache, but no luck. Is there a specific header I’m missing, or does the webhook definition need to be updated to point to the new client ID explicitly?
Current env:
- Platform: Genesys Cloud
- SDK: Node.js (custom fetch wrapper)
- Scope:
webhooks:read webhooks:write - Method: POST /oauth/token → GET /api/v2/webhooks