OAuth2 Client Secret

The OAuth2 Client Secret is a confidential key assigned to an application when it is registered with an OAuth2 authorization server. It is used to authenticate the client application and protect access tokens.

Key Purposes of Client Secret

• Authenticates the Client -
  • Verifies the identity of the client application during the token exchange.
  • Ensures that only trusted apps can obtain access tokens.
• Protects Tokens -
  • Prevents malicious applications from impersonating the client.
  • Ensures tokens are issued to legitimate apps.

Where It Is Used

• In the Authorization Code Grant flow:
  • During the token exchange, the client sends the "client_id" and "client_secret" to obtain an access token.
  • Example:

    POST /token
    grant_type=authorization_code&
    code=AUTH_CODE&
    client_id=YOUR_CLIENT_ID&
    client_secret=YOUR_CLIENT_SECRET&
    redirect_uri=https://yourapp.com/callback
          

• In the Client Credentials Grant flow:
  • Used to authenticate the client and get an access token directly (without user interaction).

Security Note

• The Client Secret must be kept confidential and never exposed in public client environments, such as:
  • Single Page Applications (SPAs)
  • Mobile apps
  • Browser-based apps

In these cases, PKCE is recommended.

See OAuth2 PKCE Explained