Our team wants to rotate the following secrets associated with our oauth app without/with minimal downtime.
- client secret
- Does the platform instantly invalidate the client secret when we regenerate it in the UI?
- event secret token
- In the docs, I see that the webhook is revalidated every 72 hours - so is the old secret token valid for 72 hours?
- basic authentication password
- Presumably we could allow our service to try both the old and new password for a time.
- After we update the password in webhook and then validate, we delete the old password from our service env.
I found this API (/marketplace/apps/{appId}/rotate_client_secret)but don’t think it applies to the basic authentication case. Would like to see if there’s any way to do this without downtime, but it sounds like the client secret and the secret token would both require it.