When you Create Client Credentials, can_keep_secret defaults to true.
If your client uses a restricted-access server (for example, your client is a website), then your client will need to keep a secret. This secret is automatically generated and returned in the CreateClient Response. Once you have a secret, you can use it to authenticate your requests for access tokens.
If your client runs directly on end-user hardware and does not have a trusted server making calls to the OAuth API, then your client cannot keep a secret. In your Create Client Credentials call, set can_keep_secret=false, and no secret will be generated for your client. Instead, you’ll need to generate and store a secret on each client device, which will be used to authenticate your requests for access tokens.