Hello,

We have no reason to believe but are acting as if the consumer_key and secret to our app have been compromised.  Is there any way we can rotate these values to get new credentials?  I am assuming that if we could get a new secret the secret + a user's current refresh_token would be capable of acquiring a new access token.  Finally is the risk of impersonation mitigated by the callback URLs being set in Salesforce itself?

Thanks!