Changing your application's client_secret

The client_secret of an application protects a service by only giving tokens to authorized applications. Client secrets should be protected, and if your client_secret has been compromised then you will need to generate a new one. Remember that all authorized apps will need to be updated with the new client_secret.

Changing your client_secret in the dashboard

You can change your client_secret under Applications in the dashboard. Choose the application you wish to edit by clicking on the Settings gear icon or the application name. You can edit the Client Secret field, and when you are finished, click the SAVE CHANGES button at the bottom of the page.

Updating authorized applications

Once you have changed your application's client_secret you will need to update any authorized applications to have the new value. To make sure the authorized application does not have any downtime with connecting to your application, we suggest you store the new client_secret as a fallback to the previous secret. So if the connection does not work with the old secret, use the new secret. The secrets can be stored in a list or similar structure to keep track of keys until they are no longer needed. Once you are sure an old secret is no longer used, it can safely be taken out of the application.

How to generate a new client_secret

If your client_secret needs to be replaced you will need to generate a new one on your own. It should be a cryptographically strong random string with only base64 characters. There are many ways to do this such as using a library that creates a GUID, a hashing function, etc.

Here is an example of a command you can use to generate a random string:

dd if=/dev/random bs=48 count=1 | base64

Using the Management API to set the new client_secret

You can also change your application's client_secret by using Update a client in the Management API. Set the id of the client you are updating, and then in the body section enter your new client_secret as a JSON field.

Note: The client_secret can only be updated with the update:client_keys scope.

You can get your client_id and client_secret by choosing your application in the Applications section of the dashboard.

Or you can update a client_secret by creating your own request to the API:

curl --request PATCH \
  --url \
  --header 'content-type: application/json' \
  --data '{"client_secret": "NEW_CLIENT_SECRET"}'
var client = new RestClient("");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_secret\": \"NEW_CLIENT_SECRET\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := ""

	payload := strings.NewReader("{\"client_secret\": \"NEW_CLIENT_SECRET\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.patch("")
  .header("content-type", "application/json")
  .body("{\"client_secret\": \"NEW_CLIENT_SECRET\"}")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "",
  "method": "PATCH",
  "headers": {
    "content-type": "application/json"
  "processData": false,
  "data": "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'PATCH',
  url: '',
  headers: { 'content-type': 'application/json' },
  body: { client_secret: 'NEW_CLIENT_SECRET' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_secret": @"NEW_CLIENT_SECRET" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@""]
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "",
  CURLOPT_POSTFIELDS => "{\"client_secret\": \"NEW_CLIENT_SECRET\"}",
    "content-type: application/json"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/api/v2/clients/YOUR_CLIENT_ID", payload, headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'

url = URI("")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["content-type"] = 'application/json'
request.body = "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = ["client_secret": "NEW_CLIENT_SECRET"]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse