Rotating client_secret

We have a Zoom OAuth app where we would like to regenerate the client_secret.

I was wondering about the implications of changing the client_secret in regards to current users of our application who have authorized our app.

Once the client_secret is regenerated, would we need to take any additional steps like having those users reauthorize the app or would the existing access_tokens and meetings continue to be valid since it’s the same OAuth app.

Appreciate your help!

@engineeringsupport Hope you will be fine.

No need to reauthorize the user’s existing user access and refresh tokens are valid. Once access_token expired you need to refresh the access_token using refresh_token & regenerated client_secret.

If still any thing unclear ask. Thanks

That’s very helpful, thank you. My last question would be if it’s possible to rotate the key without causing downtime between deployments.

My understanding is that there is a single client_secret so when we regenerate that secret we’ll be unable to use the old one. Is it possible to have two in place for a short time?

@engineeringsupport Welcome & Thanks

There is no direct way. You need to place under maintenance to your system and then update the client_id and get back live.

thanks for the explanation!

1 Like