Help

The Community will be temporarily unavailable starting on Friday February 28. We’ll be back as soon as we can! To learn more, check out our Announcements blog post.

When to generate client secret for an OAuth app?

Topic Labels: API
2171 1
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Confused
4 - Data Explorer
4 - Data Explorer
See Solution in Thread

‎Feb 13, 2023 06:52 AM

The client secret is described as:

An optional private key that authenticates your integration when requesting an OAuth token.
You should only generate a client secret if you are requesting OAuth tokens from a server. Do not generate a client secret if you have a desktop, mobile, or web application directly issuing the OAuth token request.

Can anyone clarify why there is a difference between requesting a token from a server and from an application? Isn't using a client_secret generally more secure?

If I am creating an OAuth app that will be used by others to authenticate from different machines and possibly servers, should I add a client_secret or not?

0 Kudos
Reply
1 Reply 1
Rupert_Hoffsch1
10 - Mercury
10 - Mercury
See Solution in Thread

‎Feb 13, 2023 07:15 AM

My guess is that they wrote it that due to different OAuth 2.0 grant types: https://oauth.net/2/grant-types/

For the Auth Code grant types, you definitely need a client secret imo: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

0 Kudos
Reply
Copyright © 2025 Khoros, LLC