Skip to main content
You can change an application’s using the or the Auth0 . When you rotate a client secret, you must update any authorized applications with the new value.
Client secrets should not be stored in public client applications. To learn more, read Confidential and Public Applications.
New secrets may be delayed up to thirty seconds while rotating. During this propagation window, either the old or the new secret may be accepted, so your application should be configured to try both. To avoid downtime, deploy the new secret to your application before it becomes active. The recommended approach is to set a custom client secret in advance (see Set a custom client secret): store the future secret in your application’s code/system configuration as a fallback so it’s already deployed when the rotation takes effect. Your app can then use whichever secret succeeds—if a request fails with the old secret, it falls back to the new one.Secrets can be stored in a list (or similar structure) until they’re no longer needed. Once you’re sure that an old secret is obsolete, you can remove its value from your app’s code.

Use the Dashboard

  1. In the Auth0 Dashboard, go to Applications > Applications, and then select the name of the application to view.
    Dashboard Applications List
  2. Scroll to the bottom of the Settings page, locate the Danger Zone, select Rotate, and confirm.
  3. Scroll to the top of the page, and switch to the Credentials tab.
  4. View your new secret by locating Client Secret, and selecting the eye icon.
    Dashboard Applications Application Settings Tab Basic Information
  5. Update authorized applications with the new value.

Use the Management API

  1. Call the Management API Rotate a client secret endpoint. Replace the {yourClientId} and {yourMgmtApiAccessToken} placeholder values with your client ID and Management API access token, respectively.
  1. Update authorized applications with the new value.

Set a custom client secret

You can use the Management API Update a client endpoint to to set a client secret manually instead of requesting a rotation to an automatically generated secret. Your application is configured with the future secret as a fallback ahead of the actual rotation.

Learn more