How often do we need to update the client secret?

Hi! I am implementing the authorization code flow and wanted to know: How often do we have to replace the client id/client secret? Are these credentials meant to last forever, or be reset periodically?

Thanks in advance for your time!


They are generated to last, as secret considered to be saved on a trusted back-end server. Also, there is no way for you to refresh the secret, unless you want to create another application in your org.

@alina-dc Actually you can change the client secret by clicking on the “Edit” button on the Client Credentials section and you should see an option to generate a new client secret.

1 Like

Yay, good to know :slight_smile: Never paid attention to this option!

Great, thanks for this information. I now know that It’s possible to update the secret, but is there are recommendation for doing that periodically? For example, is it a best practice to change the secret once a year? Or is it fine to not plan to ever change it?

If your client secret is stored safely and is not exposed, I don’t see a reason why you would need to rotate it periodically unless you need to meet some sort of compliance. However, I’m not a security analyst so take my words with a grain of salt.