Best Practices for Tokens

Rotate Client Secret

This guide will show you how to change your application's client secret using Auth0's Management API. This task can also be performed using the Dashboard.

New secrets may be delayed while rotating. To minimize downtime, we suggest you store the new client secret in your application's code as a fallback to the previous secret. This way, if the connection doesn't work with the old secret, your app will use the new secret.

Secrets can be stored in a list (or similar structure) until they're no longer needed. Once you're sure that an old secret is obsolete, you can remove its value from your app's code.

  1. Make a POST call to the Rotate a Client Secret endpoint. Be sure to replace YOUR_CLIENT_ID and MGMT_API_ACCESS_TOKEN placeholder values with your client ID and Management API Access Token, respectively.

Value Description
YOUR_CLIENT_ID Τhe ID of the application to be updated.
MGMT_API_ACCESS_TOKEN Access Tokens for the Management API with the scope update:client_keys.
  1. Update authorized applications

When you rotate a client secret, you must update any authorized applications with the new value.