Subscription-notification mechanisms for synchronization of distributed states

What is claimed is: 1. A method of rotating assigned credentials for client devices registering with servers, the method comprising: determining, by a server, that assigned credentials for a client device are expired; in response to determining that the assigned credentials have expired, generating, by the server, new credentials for the client device; sending, by the server, the new credentials to the client device; generating, by the server, an encrypted version of the new credentials and storing the encrypted version of the new credentials at the server during a grace period, wherein during the grace period the client device can be authenticated using the assigned credentials or the new credentials; and deleting, by the server, the encrypted version of the new credentials at an expiration of the grace period. 2. The method of claim 1 , further comprising: receiving, by the server, the assigned credentials from the client device during the grace period; and in response to receiving the assigned credentials from the client device, sending, by the server, the new credentials to the client device. 3. The method of claim 2 , wherein the new credentials are generated by the server by decrypting the encrypted version of the new credentials that are stored at the server. 4. The method of claim 1 , further comprising: generating, by the server, a hashed version of the new credentials and storing the hashed version of the new credentials at the server. 5. The method of claim 4 , further comprising: receiving, by the server, the new credentials from the client device during the grace period; generating, by the server, a temporary hash of the new credentials; and authenticating the client device by comparing the temporary hash of the new credentials with the hashed version of the new credentials stored at the server. 6. The method of claim 1 , further comprising: storing the encrypted version of the new credentials in a secure storage that is separate from the server at the expiration of the grace period. 7. The method of claim 1 , furthering comprising: determining, by the server, whether a secure connection exists between the server and the client device, wherein the new credentials are sent to the client device in response to a determination that the secure connection exists. 8. The method of claim 1 , wherein the new credentials comprise an assigned identifier and an assigned secret for the client device, wherein the assigned identifier comprises a serial number of the client device. 9. The method of claim 8 , wherein the assigned secret comprises a random number generated by the server, and a hashed version of the new credentials comprises a hash of the assigned secret. 10. The method of claim 1 , wherein the assigned credentials expire after a predetermined number of uses. 11. A server comprising: one or more processors; and one or more memory devices comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: determining, by the server, that assigned credentials for a client device are expired; in response to determining that the assigned credentials are expired, generating, by the server, new credentials for the client device; sending, by the server, the new credentials to the client device; generating, by the server, an encrypted version of the new credentials and storing the encrypted version of the new credentials at the server during a grace period, wherein during the grace period the client device can be authenticated using the assigned credentials or the new credentials; and deleting, by the server, the encrypted version of the new credentials at an expiration of the grace period. 12. The server of claim 11 , wherein the operations further comprise: receiving, by the server, the assigned credentials from the client device during the grace period; and in response to receiving the assigned credentials from the client device, sending, by the server, the new credentials to the client device. 13. The server of claim 12 , wherein the new credentials are generated by the server by decrypting the encrypted version of the new credentials that are stored at the server. 14. The server of claim 11 , wherein the operations further comprise: generating, by the server, a hashed version of the new credentials and storing the hashed version of the new credentials at the server. 15. The server of claim 14 , wherein the operations further comprise: receiving, by the server, the new credentials from the client device during the grace period; generating, by the server, a temporary hash of the new credentials; and authenticating the client device by comparing the temporary hash of the new credentials with the hashed version of the new credentials stored at the server. 16. The server of claim 11 , wherein the operations further comprise: storing the encrypted version of the new credentials in a secure storage that is separate from the server at the expiration of the grace period. 17. The server of claim 11 , wherein the operations further comprise: determining, by the server, whether a secure connection exists between the server and the client device, wherein the new credentials are sent to the client device in response to a determination that the secure connection exists. 18. The server of claim 11 , wherein the new credentials comprise an assigned identifier and an assigned secret for the client device, wherein the assigned identifier comprises a serial number of the client device. 19. The server of claim 18 , wherein the assigned secret comprises a random number generated by the server, and a hashed version of the new credentials comprises a hash of the assigned secret. 20. The server of claim 11 , wherein the assigned credentials expire after a predetermined number of uses.