Client Secret

This table describes when the client_secret is required.

In each of the endpoint's documentation, it describes when and how to use the client_secret in the request body or the Authorization header using HTTP Basic Auth.

Even when the client secret is not required, if it is provided it will be validated.

Previous to version 1.28.0, whether the client secret was required was controlled by the oauthConfiguration.requireClientAuthentication value of the application object. In that case, a value of true is equivalent to a clientAuthenticationPolicy of Required and a value of false is equivalent to a clientAuthenticationPolicy of NotRequired.

For versions 1.28.0 or later, use oauthConfiguration.clientAuthenticationPolicy to configure this functionality.

When Is the Client Secret Required

GrantclientAuthenticationPolicy valuePKCE UsedClient Secret Required
Authorization Code GrantRequired-Yes
Authorization Code GrantNotRequired-No
Authorization Code GrantNotRequiredWhenUsingPKCEYesNo
Authorization Code GrantNotRequiredWhenUsingPKCENoYes
Implicit GrantN/A--
Password Credentials GrantRequired-Yes
Password Credentials GrantNotRequired-No
Refresh Token GrantRequired-Yes
Refresh Token GrantNotRequired-No