Looking to rotate the client secret for our integration without dropping active sessions. The goal is to have the new secret live before the old one expires.
Plan:
- Generate a new secret via POST /api/v2/oauth/clients/{clientId}/secrets
- Update our app config to use the new secret
- Revoke the old secret using DELETE /api/v2/oauth/clients/{clientId}/secrets/{secretId}
The issue is the timing. If I revoke the old one immediately, any long-running processes that cached the old token will fail on refresh. The docs say tokens are valid for 1 hour by default.
Is there a way to keep both secrets active simultaneously for a transition window? Or do I just have to wait out the token lifespan before revoking the old secret?
Here’s the payload for creating the new secret:
{
"name": "rotated-secret-v2",
"description": "Rotation for maintenance"
}
Getting a 201 on creation. Not sure if the old secret stays valid automatically or if I need to set a specific expiry. Need to avoid 401 errors in our batch jobs.