Secret Lifecycle

When a customer creates a Mobile Engage app, a new secret is created (if it does not already exist), and an initial secret version is created and immediately activated. It can immediately be used for encryption and decryption.

After 90 days, secret is rotated - a new secret version is created, but it is not activated at this time. There is a grace period of 4 days to allow all the subsystems to load the new secret version. Previous secret version is still used for encryption and decryption.

New secret version is now activated and is used for both encryption and decryption. Previous secret version can still be used for decryption only.

90 days after rotation, previous secret version is disabled and can no longer be used for decryption. It is still kept and can be accessed for debugging purposes.

180 days after disabling, previous secret version is destroyed and can no longer be recovered at all.