Azure · linglingye001 · Feb 4, 2026 · Dec 15, 2025 · Jan 5, 2026 · Jan 5, 2026
diff --git a/examples/console-app/package-lock.json b/examples/console-app/package-lock.json
diff --git a/examples/web-app/package-lock.json b/examples/web-app/package-lock.json
diff --git a/examples/web-app/package.json b/examples/web-app/package.json
@@ -3,6 +3,6 @@
     "@azure/app-configuration-provider": "latest",
     "@azure/identity": "^4.1.0",
     "dotenv": "^16.3.1",
-    "express": "^4.21.2"
+    "express": "^4.22.1"
   }
 }
diff --git a/src/keyvault/keyVaultSecretProvider.ts b/src/keyvault/keyVaultSecretProvider.ts
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { KeyVaultOptions } from "./keyVaultOptions.js";
+import { KeyVaultOptions, MIN_SECRET_REFRESH_INTERVAL_IN_MS } from "./keyVaultOptions.js";
 import { RefreshTimer } from "../refresh/refreshTimer.js";
 import { ArgumentError } from "../common/errors.js";
 import { SecretClient, KeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
@@ -10,6 +10,7 @@ import { KeyVaultReferenceErrorMessages } from "../common/errorMessages.js";
 export class AzureKeyVaultSecretProvider {
     #keyVaultOptions: KeyVaultOptions | undefined;
     #secretRefreshTimer: RefreshTimer | undefined;
+    #minSecretRefreshTimer: RefreshTimer;
     #secretClients: Map<string, SecretClient>; // map key vault hostname to corresponding secret client
     #cachedSecretValues: Map<string, any> = new Map<string, any>(); // map secret identifier to secret value
 
@@ -24,6 +25,7 @@ export class AzureKeyVaultSecretProvider {
         }
         this.#keyVaultOptions = keyVaultOptions;
         this.#secretRefreshTimer = refreshTimer;
+        this.#minSecretRefreshTimer = new RefreshTimer(MIN_SECRET_REFRESH_INTERVAL_IN_MS);
         this.#secretClients = new Map();
         for (const client of this.#keyVaultOptions?.secretClients ?? []) {
             const clientUrl = new URL(client.vaultUrl);
@@ -47,7 +49,10 @@ export class AzureKeyVaultSecretProvider {
     }
 
     clearCache(): void {
-        this.#cachedSecretValues.clear();
+        if (this.#minSecretRefreshTimer.canRefresh()) {
+            this.#cachedSecretValues.clear();
+            this.#minSecretRefreshTimer.reset();
+        }
     }
 
     async #getSecretValueFromKeyVault(secretIdentifier: KeyVaultSecretIdentifier): Promise<unknown> {

diff --git a/src/types.ts b/src/types.ts
@@ -11,10 +11,7 @@ export type SettingSelector = {
      * @remarks
      * An asterisk `*` can be added to the end to return all key-values whose key begins with the key filter.
      * e.g. key filter `abc*` returns all key-values whose key starts with `abc`.
-     * A comma `,` can be used to select multiple key-values. Comma separated filters must exactly match a key to select it.
-     * Using asterisk to select key-values that begin with a key filter while simultaneously using comma separated key filters is not supported.
-     * E.g. the key filter `abc*,def` is not supported. The key filters `abc*` and `abc,def` are supported.
-     * For all other cases the characters: asterisk `*`, comma `,`, and backslash `\` are reserved. Reserved characters must be escaped using a backslash (\).
+     * Characters: asterisk `*`, comma `,`, and backslash `\` are reserved. Reserved characters must be escaped using a backslash (\).
      * e.g. the key filter `a\\b\,\*c*` returns all key-values whose key starts with `a\b,*c`.
      */
     keyFilter?: string,