Changing your application's client_secret

The client_secret of an application protects a service by only giving tokens to authorized applications. Client secrets should be protected, and if your client_secret has been compromised then you will need to generate a new one. Remember that all authorized apps will need to be updated with the new client_secret.

Changing your client_secret in the dashboard

You can change your client_secret under Clients in the dashboard. Choose the client you wish to edit by clicking on the Settings gear icon or the client name. You can edit the Client Secret field, and when you are finished, click the SAVE CHANGES button at the bottom of the page.

Updating authorized clients

Once you have changed your client's client_secret you will need to update any authorized clients to have the new value. To make sure the authorized client does not have any downtime with connecting to your client, we suggest you store the new client_secret as a fallback to the previous secret. So if the connection does not work with the old secret, use the new secret. The secrets can be stored in a list or similar structure to keep track of keys until they are no longer needed. Once you are sure an old secret is no longer used, it can safely be taken out of the client.

How to generate a new client_secret

If your client_secret needs to be replaced you will need to generate a new one on your own. It should be a cryptographically strong random string. There are many ways to do this such as using a library that creates a GUID, a hashing function, etc.

Here is an example of a command you can use to generate a random string:

dd if=/dev/random bs=48 count=1

Using the Management API to set the new Client Secret

You can change your client's secret by using the Rotate Secret API endpoint. This will rotate your secret with a secret generated by Auth0. This is the recommended approach, since we ensure a safe secret. However the generated secret will not be Base64-encoded. You can use this endpoint to start using non encoded secrets.

If you are still using a Base64-encoded client secret and you want to change your client's secret with a new encoded one, you can use the Update a client API endpoint. Set the id of the client you are updating, and then in the body section enter your new client_secret as a JSON field.

The client_secret can only be updated with the update:client_keys scope.

You can get your client_id and client_secret by choosing your client in the Clients section of the dashboard.

Or you can update a client_secret by creating your own request to the API:


curl --request PATCH \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID' \
  --header 'content-type: application/json' \
  --data '{"client_secret": "NEW_CLIENT_SECRET"}'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_secret\": \"NEW_CLIENT_SECRET\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID"

	payload := strings.NewReader("{\"client_secret\": \"NEW_CLIENT_SECRET\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.patch("https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID")
  .header("content-type", "application/json")
  .body("{\"client_secret\": \"NEW_CLIENT_SECRET\"}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID",
  "method": "PATCH",
  "headers": {
    "content-type": "application/json"
  },
  "processData": false,
  "data": "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'PATCH',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID',
  headers: { 'content-type': 'application/json' },
  body: { client_secret: 'NEW_CLIENT_SECRET' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_secret": @"NEW_CLIENT_SECRET" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"client_secret\": \"NEW_CLIENT_SECRET\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request.body = "{\"client_secret\": \"NEW_CLIENT_SECRET\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = ["client_secret": "NEW_CLIENT_SECRET"]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/clients/YOUR_CLIENT_ID")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Remember that if your client uses a Base64-encoded client secret, and you want to update it using the Update a client API endpoint then the updated one has to be encoded as well. Otherwise, you should use the Rotate Secret API endpoint.