Client Secret

When you Create Client Credentials, can_keep_secret defaults to true.

If your client uses a restricted-access server (for example, your client is a website), then your client will need to keep a secret. This secret is automatically generated and returned in the CreateClient Response. Once you have a secret, you can use it to authenticate your requests for access tokens.

Important: Keep this secret somewhere safe, but also private, as it cannot be retrieved again (it's hashed on the server-side) and you'll need to invalidate and reset it if you lose it.

If your client runs directly on end-user hardware and does not have a trusted server making calls to the OAuth API, then your client cannot keep a secret. In your Create Client Credentials call, set can_keep_secret=false, and no secret will be generated for your client. Instead, you’ll need to generate and store a secret on each client device, which will be used to authenticate your requests for access tokens.