2 min read
Overlap, then cut over
The safe pattern is overlap. Mint a second OAuth client with the same scopes as the current one, deploy it to your token cache, and let both work for a short window. Because tokens are minted from the credential, your running tokens keep working during the swap.
Verify on the new credential
Confirm a real call succeeds on a token minted from the new client before you touch the old one — mint, call a read endpoint, check for a 200. Only then move all traffic across. Keep the token cache keyed by client so the two never collide (see caching tokens).
Revoke the old credential
Once every worker is minting from the new client and you have verified there is no residual traffic on the old one, revoke the old secret. If you rotate because of a suspected leak, revoke immediately and accept the brief disruption — a compromised secret is a live risk, and scopes bound its blast radius but do not remove it.
Frequently asked questions
Can I just change the secret on the existing client?
You can, but it risks an outage — any worker still holding the old secret fails at the next mint. Overlapping two clients lets you cut over and verify with zero downtime, then revoke.
What if the secret has leaked?
Revoke immediately rather than waiting for a clean overlap — a leaked secret is a live risk. Least-privilege scoping limits the damage, but the only fix is revocation. Then stand up a fresh credential.
Related reading

Cache OAuth tokens across your workers
Mint an access token once and share it across every worker. Key the cache by (client, scope), store the…
Read →
Submit an application on partner/v1
Take an application end to end on the partner ring: mint a token, POST /applications with an idempotency key,…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.