Rotate the Client Secret

The client secret protects your resources by only granting tokens to requestors if they're authorized. Protect your client secrets; if any are ever compromised, you should rotate to a new one. Please remember that all authorized apps will therefore need to be updated with the new client secret.

Rotate the Client Secret in the Dashboard

You can rotate your client secret under Applications in the Dashboard. Choose the application you wish to edit by clicking on its name or the Settings gear icon associated with the application.

On the Settings page, the Client Secret will be the fourth parameter listed. To the right, click on the rotation icon to rotate your secret. You can view you your new secret by checking the box next to Reveal client secret.

Scroll to the bottom of the Settings page, and click Save Changes.

Rotate the Client Secret Using the Management API

You can rotate your application's secret by making a POST call to the Rotate a Client Secret endpoint of the Management API. The global client secret can also be rotated via the Management API. Your global client ID can be found in your Advanced Tenant Settings.

Be sure to replace YOUR_CLIENT_ID and MGMT_API_ACCESS_TOKEN placeholder values with your client ID and Access Token, respectively.

To make calls to the Management API, you must get and use a valid Access Token.

curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret"

	req, _ := http.NewRequest("POST", url, nil)

	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response ="https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret",
  "method": "POST",
  "headers": {
    "authorization": "Bearer MGMT_API_ACCESS_TOKEN"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'POST',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret',
  headers: { authorization: 'Bearer MGMT_API_ACCESS_TOKEN' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret"]
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret",
    "authorization: Bearer MGMT_API_ACCESS_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }

conn.request("POST", "/YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret", headers=headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID/rotate-secret")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse


Update Authorized Applications

Once you've rotated your client secret, you must update any authorized applications with the new value.

To make sure that you see as little downtime as possible when connecting your apps to your Auth0 application, we suggest you store the new client secret as a fallback to the previous secret. Then, if the connection doesn't work with the old secret, your app will use the new secret.

Secrets can be stored in a list (or similar structure) to track keys until they're no longer needed. Once you're sure that an old secret is obsolete, you can remove its value from your app.