Rotate Client Secrets

Rotate Client Secrets

You can change an app's client secret using Auth0's Dashboard or the Management API. When you rotate a client secret, you must update any authorized apps with the new value.

Use the Dashboard

  1. Go to Dashboard > Applications > Applications and select the name of the application to view.

    Dashboard Applications List
  2. Scroll to the bottom of the Settings page, locate the Danger Zone, select Rotate, and confirm.

  3. View your new secret by scrolling to the top of the Settings page, locating Client Secret, and selecting its eye icon.

    Dashboard Applications Application Settings Tab Basic Information

  4. Update authorized applications with the new value.

Use the Management API

  1. Make a POST call to the /Clients/post_rotate_secret endpoint. Be sure to replace YOUR_CLIENT_ID and MGMT_API_ACCESS_TOKEN placeholder values with your client ID and Management API access token, respectively.

    
    
    curl --request POST \
      --url 'https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret' \
      --header 'authorization: Bearer {yourMgmtApiAccessToken}'

    Was this helpful?

    /
    var client = new RestClient("https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret");
    var request = new RestRequest(Method.POST);
    request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}");
    IRestResponse response = client.Execute(request);

    Was this helpful?

    /
    package main
    
    import (
    	"fmt"
    	"net/http"
    	"io/ioutil"
    )
    
    func main() {
    
    	url := "https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret"
    
    	req, _ := http.NewRequest("POST", url, nil)
    
    	req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}")
    
    	res, _ := http.DefaultClient.Do(req)
    
    	defer res.Body.Close()
    	body, _ := ioutil.ReadAll(res.Body)
    
    	fmt.Println(res)
    	fmt.Println(string(body))
    
    }

    Was this helpful?

    /
    HttpResponse<String> response = Unirest.post("https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret")
      .header("authorization", "Bearer {yourMgmtApiAccessToken}")
      .asString();

    Was this helpful?

    /
    var axios = require("axios").default;
    
    var options = {
      method: 'POST',
      url: 'https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret',
      headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'}
    };
    
    axios.request(options).then(function (response) {
      console.log(response.data);
    }).catch(function (error) {
      console.error(error);
    });

    Was this helpful?

    /
    #import <Foundation/Foundation.h>
    
    NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" };
    
    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret"]
                                                           cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                       timeoutInterval:10.0];
    [request setHTTPMethod:@"POST"];
    [request setAllHTTPHeaderFields:headers];
    
    NSURLSession *session = [NSURLSession sharedSession];
    NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                    if (error) {
                                                        NSLog(@"%@", error);
                                                    } else {
                                                        NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                        NSLog(@"%@", httpResponse);
                                                    }
                                                }];
    [dataTask resume];

    Was this helpful?

    /
    $curl = curl_init();
    
    curl_setopt_array($curl, [
      CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret",
      CURLOPT_RETURNTRANSFER => true,
      CURLOPT_ENCODING => "",
      CURLOPT_MAXREDIRS => 10,
      CURLOPT_TIMEOUT => 30,
      CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
      CURLOPT_CUSTOMREQUEST => "POST",
      CURLOPT_HTTPHEADER => [
        "authorization: Bearer {yourMgmtApiAccessToken}"
      ],
    ]);
    
    $response = curl_exec($curl);
    $err = curl_error($curl);
    
    curl_close($curl);
    
    if ($err) {
      echo "cURL Error #:" . $err;
    } else {
      echo $response;
    }

    Was this helpful?

    /
    import http.client
    
    conn = http.client.HTTPSConnection("")
    
    headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" }
    
    conn.request("POST", "/YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret", headers=headers)
    
    res = conn.getresponse()
    data = res.read()
    
    print(data.decode("utf-8"))

    Was this helpful?

    /
    require 'uri'
    require 'net/http'
    require 'openssl'
    
    url = URI("https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret")
    
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    
    request = Net::HTTP::Post.new(url)
    request["authorization"] = 'Bearer {yourMgmtApiAccessToken}'
    
    response = http.request(request)
    puts response.read_body

    Was this helpful?

    /
    import Foundation
    
    let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"]
    
    let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/clients/%7ByourClientId%7D/rotate-secret")! as URL,
                                            cachePolicy: .useProtocolCachePolicy,
                                        timeoutInterval: 10.0)
    request.httpMethod = "POST"
    request.allHTTPHeaderFields = headers
    
    let session = URLSession.shared
    let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
      if (error != nil) {
        print(error)
      } else {
        let httpResponse = response as? HTTPURLResponse
        print(httpResponse)
      }
    })
    
    dataTask.resume()

    Was this helpful?

    /
    Value Description
    YOUR_CLIENT_ID Τhe ID of the application to be updated.
    MGMT_API_ACCESS_TOKEN Access Tokens for the Management API with the scope update:client_keys.

  2. Update authorized applications with the new value.

Set a custom client secret

You can use the Management API's /Clients/patch_clients_by_id to to set a client secret manually instead of requesting a rotation to an automatically generated secret. Your application is configured with the future secret as a fallback ahead of the actual rotation.

{
    curl --request PATCH \
    --url https://{TenantDomain}/api/v2/clients/{ClientID} \
    --header 'Authorization: Bearer {AccessToken}' \
    --header 'Content-Type: application/json' \
    --data '{
        "client_secret": "{CustomClientSecret}"
        }'
}

Was this helpful?

/

Learn more