Rotate Client Secrets
You can change an application's client secret using the Auth0 Dashboard or the Auth0 Management API. When you rotate a client secret, you must update any authorized applications with the new value.
Client secrets should not be stored in public client applications. To learn more, read Confidential and Public Applications.
New secrets may be delayed up to thirty seconds while rotating. To minimize downtime, we suggest you store the new client secret in your application's code/system configuration as a fallback to the previous secret. This way, if the client application request doesn't work with the old secret, your app will use the new secret.
Secrets can be stored in a list (or similar structure) until they're no longer needed. Once you're sure that an old secret is obsolete, you can remove its value from your app's code.
Use the Dashboard
In the Auth0 Dashboard, go to Applications > Applications, and then select the name of the application to view.
Scroll to the bottom of the Settings page, locate the Danger Zone, select Rotate, and confirm.
Scroll to the top of the page, and switch to the Credentials tab.
View your new secret by locating Client Secret, and selecting the eye icon.
Update authorized applications with the new value.
Use the Management API
Call the Management API Rotate a client secret endpoint. Replace the
YOUR_CLIENT_IDandMGMT_API_ACCESS_TOKENplaceholder values with your client ID and Management API access token, respectively.curl --request POST \ --url 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret' \ --header 'authorization: Bearer {yourMgmtApiAccessToken}'Was this helpful?
/var client = new RestClient("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "Bearer {yourMgmtApiAccessToken}"); IRestResponse response = client.Execute(request);Was this helpful?
/package main import ( "fmt" "net/http" "io/ioutil" ) func main() { url := "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret" req, _ := http.NewRequest("POST", url, nil) req.Header.Add("authorization", "Bearer {yourMgmtApiAccessToken}") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) }Was this helpful?
/HttpResponse<String> response = Unirest.post("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret") .header("authorization", "Bearer {yourMgmtApiAccessToken}") .asString();Was this helpful?
/var axios = require("axios").default; var options = { method: 'POST', url: 'https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret', headers: {authorization: 'Bearer {yourMgmtApiAccessToken}'} }; axios.request(options).then(function (response) { console.log(response.data); }).catch(function (error) { console.error(error); });Was this helpful?
/#import <Foundation/Foundation.h> NSDictionary *headers = @{ @"authorization": @"Bearer {yourMgmtApiAccessToken}" }; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret"] cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:10.0]; [request setHTTPMethod:@"POST"]; [request setAllHTTPHeaderFields:headers]; NSURLSession *session = [NSURLSession sharedSession]; NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"%@", error); } else { NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response; NSLog(@"%@", httpResponse); } }]; [dataTask resume];Was this helpful?
/$curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_HTTPHEADER => [ "authorization: Bearer {yourMgmtApiAccessToken}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }Was this helpful?
/import http.client conn = http.client.HTTPSConnection("") headers = { 'authorization': "Bearer {yourMgmtApiAccessToken}" } conn.request("POST", "/{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret", headers=headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))Was this helpful?
/require 'uri' require 'net/http' require 'openssl' url = URI("https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = 'Bearer {yourMgmtApiAccessToken}' response = http.request(request) puts response.read_bodyWas this helpful?
/import Foundation let headers = ["authorization": "Bearer {yourMgmtApiAccessToken}"] let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/clients/%7ByourClientId%7D/rotate-secret")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()Was this helpful?
/Value Description YOUR_CLIENT_IDΤhe ID of the application to be updated. MGMT_API_ACCESS_TOKENAccess Tokens for the Management API with the scope update:client_keys.Update authorized applications with the new value.
Set a custom client secret
You can use the Management API Update a client endpoint to to set a client secret manually instead of requesting a rotation to an automatically generated secret. Your application is configured with the future secret as a fallback ahead of the actual rotation.
{
curl --request PATCH \
--url https://{TenantDomain}/api/v2/clients/{ClientID} \
--header 'Authorization: Bearer {AccessToken}' \
--header 'Content-Type: application/json' \
--data '{
"client_secret": "{CustomClientSecret}"
}'
}Was this helpful?