MongoDB drivers should provide support for rotating authentication credentials: - The customer may opt to rotate a specific credential (a password, client keytab, or a re-issued client certificate - when your private key will be the old one or a new one and the certificate will always be updated), or both the username *and* its credential - drivers must support authentication hooks/override methods to handle custom logic. For example: when an external vault processes the password change, it will have a delay before the SCRAM / PLAIN password gets changed in the MongoDB Server / LDAP server. The customer-provided code will take care of this. - Once a MongoDB connection went through the authentication step, the driver no longer needs a credential. However, we must allow for customers to choose between two following scenarios: a) drain the existing connections ASAP and create a bunch of new ones using a new credential; b) keep the existing connections as long as needed, potentially until the next restart of the MongoDB Server instance or until the application code decides to re-authenticate using them.