Rotating your client secret

The Secret Rotation feature in Next Identity helps protect your client from unauthorized access by allowing you to generate a new client secret and phase out the old one. This reduces the risk of compromised credentials and supports best practices in application security.

You can rotate secrets manually in the Next Identity Console, confirm successful rotation, and view a history of all past rotations.

• Role-based permissions to manage secrets (see Roles and Permissions)

• Coordination with your engineering team to ensure the new secret is updated in your systems before the old one expires

• Go to Clients

• Select the client whose secret you want to rotate

• Navigate to the Environment tab

• Under Configure your client, select the Security tab and locate the Secret rotation section

• Review the current secret and the last rotation date

• Click Rotate to start the rotation process

• A confirmation dialog will appear

• Ensure the correct environment is selected

• Set the duration for how long the old secret remains valid

• Options range from 0 hours (immediate deactivation) to 168 hours (7 days)

• Enter the client name to confirm the action

• A new secret is generated and shown under the Credentials tab (initially obfuscated)

• Toggle visibility using the eye icon

• A message indicates when the old secret will expire

• Your old secret remains valid during the defined transition period

• Update your backend services or API integrations with the new secret before the old one expires

• You can monitor the status and see the rotation reflected in the Secret Rotation History

• Go to Clients

• Select the relevant client

• In the Environment tab, access Configure your client > Security > Secret rotation

If previous rotations exist, you'll see a history table showing:

• Secret (hidden by default; toggle to reveal)

• Initiated by (user who performed the rotation)

• Rotation date and expiration date

• Available actions (such as copy or revoke, if applicable)

The table is sorted by most recent by default.

Only users with specific roles can view or initiate secret rotations.
To configure access, refer to the Roles and Permissions documentation or speak with your Next Identity Consultant.

Q: Why should I always use the Next Identity Console for secret rotations?
A: It ensures your rotation process is secure, auditable, and integrated with the platform's secret lifecycle management.

Q: How often should I rotate my secrets?
A: Every 90 days is a common best practice, but consult your security team for compliance-specific requirements.

Q: What happens to the old secret?
A: It remains valid during the transition period (0–168 hours) and is invalidated automatically after expiration.

Q: How do I verify that rotation was successful?
A: A new secret appears in the Console, and the Secret Rotation History will show the rotation date and initiator.

Q: Can I view previous secrets?
A: Yes, depending on your role. The history table includes obfuscated entries and key rotation metadata.

Q: Who is authorized to rotate secrets?
A: Only users with the appropriate permissions. Check with your admin or Next Identity Consultant for role setup.