Client Credentials Expiration and Overlap


Hello Okta gurus,

What are the best practices to rotate client credentials (grant_type=client_credentials) on periodic basis but still have overlapping capability to avoid hard co-ordination between teams which are geographically distributed?

e.g. can we have 90 days client creds rotation policy but still have 7 days overlapping with old creds?



Hi @Shailesh_Joshi

Due to security reasons, we don’t offer this capability to overlap the old credentials with the new ones. The best solution would be to have a daily cURL request to check if the credentials have been rotated and, if yes, gather the new credentials, unless the application requests the /keys endpoint every time before checking the signature.

1 Like

Thanks dragos - when we normally rotate the creds, do both client id and secret key get rotated or just the secret?


Hi @Shailesh_Joshi

By rotation, we update the signing keys for verifying JWT tokens locally, not the client ID and client secret. You can find more details about this process here.