Help

When to generate client secret for an OAuth app?

Topic Labels: API
2035 1
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Confused
4 - Data Explorer
4 - Data Explorer
See Solution in Thread

‎Feb 13, 2023 06:52 AM

The client secret is described as:

An optional private key that authenticates your integration when requesting an OAuth token.
You should only generate a client secret if you are requesting OAuth tokens from a server. Do not generate a client secret if you have a desktop, mobile, or web application directly issuing the OAuth token request.

Can anyone clarify why there is a difference between requesting a token from a server and from an application? Isn't using a client_secret generally more secure?

If I am creating an OAuth app that will be used by others to authenticate from different machines and possibly servers, should I add a client_secret or not?

0 Kudos
Reply
1 Reply 1
Rupert_Hoffsch1
10 - Mercury
10 - Mercury
See Solution in Thread

‎Feb 13, 2023 07:15 AM

My guess is that they wrote it that due to different OAuth 2.0 grant types: https://oauth.net/2/grant-types/

For the Auth Code grant types, you definitely need a client secret imo: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

0 Kudos
Reply
Copyright © 2025 Khoros, LLC