Rotate an OAuth 2.0 Secret

Rotate the client secrets used in your OAuth 2.0 integrations regularly to maintain security. Rotating client secrets at least every 180 days is a good security practice. You can also rotate a secret if you lose access to it.

User Permissions Needed
To generate and stage a secretAdmin
To activate a secretAdmin

In Marketing Cloud Engagement, rotating a secret involves three steps:

  1. Generate and stage a client secret.
  2. Update your external apps and integrations to use the staged secret.
  3. Activate the staged secret, which deactivates the current secret and replaces it with the staged secret.

Client secrets for API integrations expire 180 days after they’re generated. To see expiration dates for all of your client secrets, see the summary table on the Installed Packages page in Setup.

To generate and stage a new secret, use the Marketing Cloud Engagement web interface. You can generate a new secret no more than one time in a 5-minute period.

If you previously generated a staged secret but never activated it, it’s replaced when you generate a new staged secret.
  1. In Setup, in the Quick Find box, enter packages, and then click Installed Packages.
  2. Select the package that you want to generate a new client secret for.
  3. In the Staged Secret section, click Generate.
  4. Enter a description for the new client secret, and then click Next.
  5. Save the client secret in a secure location. After you click Finish, you can’t view the client secret again.
  6. Click Finish.
  7. Wait for 5 minutes after staging the secret. After 5 minutes, you can activate the secret or issue authentication requests that use it.

After you stage the secret, Marketing Cloud Engagement accepts authentication requests that use either the staged secret or the active secret. This behavior helps you rotate secrets while minimizing downtime.

When you’re ready to begin using the new staged secret, activate it. Activating a staged secret deactivates the previous secret and makes the staged secret active. You can activate no more than one secret every 5 minutes.

When you activate the staged secret, the previously active secret is immediately deactivated. After you deactivate a secret, you can’t reactivate it.

For security purposes, after you activate a secret, the details page for the installed package obfuscates the secret.

  1. Update your external apps and clients to use the staged secret. After you activate the staged secret, your apps can no longer authenticate by using the previously active secret.
  2. In Setup, in the Quick Find box, enter packages, and then click Installed Packages.
  3. Select the package that contains the secret that you want to activate.
  4. In the Staged Secret section, click Activate.

All secrets generated after March 2026 begin with the prefix SFMC_ followed by 51 characters and an 8-character checksum. Treat your secrets like you would treat any other type of password. To protect your critical systems, monitor your public repositories and cloud file stores for credentials that follow this pattern.