Rotate an OAuth 2.0 Secret

Rotating the client secrets used in your OAuth 2.0 integrations regularly is a security best practice. You can also rotate a secret in situations where you want to use an integration but no longer have access to the secret.

User Permissions Needed
To generate and stage a secretAdmin
To activate a secretAdmin

In Marketing Cloud Engagement, you rotate a secret in three steps.

  1. Generate and stage a client secret.
  2. Update your external apps and integrations to use the staged secret.
  3. Activate the staged secret, which deactivates the current secret and replaces it with the staged secret.

To generate and stage a new secret, use the Marketing Cloud Engagement web interface. You can generate a new secret no more than one time in a 5-minute period.

If you previously generated a staged secret but never activated it, it’s replaced when you generate a new staged secret.
  1. In Setup, in the Quick Find box, enter packages, and then click Installed Packages.
  2. Select the package that you want to generate a new client secret for.
  3. In the Staged Secret section, click Generate.
  4. Enter a description for the new client secret, and then click Next.
  5. Save the client secret in a secure location. After you click Finish, you can’t view the client secret again.
  6. Click Finish.
  7. Wait for 5 minutes after staging the secret. After 5 minutes, you can activate the secret or issue authentication requests that use it.

After you stage the secret, Marketing Cloud Engagement accepts authentication requests that use either the staged secret or the active secret. This behavior helps you rotate secrets while minimizing downtime.

When you’re ready to begin using the new staged secret, activate it. Activating a staged secret disables the previous secret and makes the staged secret active. You can activate no more than one secret every 5 minutes.

When you activate the staged secret, the previously active secret is immediately deactivated and can’t be reactivated.

For security purposes, after you activate a secret, the secret is obfuscated on the details page for the installed package.

  1. Update your external apps and clients to use the staged secret. After you activate the staged secret, your apps can no longer authenticate by using the previously active secret.
  2. In Setup, in the Quick Find box, enter packages, and then click Installed Packages.
  3. Select the package that contains the secret that you want to activate.
  4. In the Staged Secret section, click Activate.