Generates a new client secret for the specified API client. Optionally, the old client secret can remain valid for a specified grace period (up to 168 hours). In effect, the API client would then have two clients secrets: the new secret and the old secret. After the grace period has expired only the new secret will be valid.

If you have a security issue, you can use this endpoint to change a client's client_secret value. This is typically preferable to generating a new client/secret pair, which would involve changing everything from permissions to access schemas to hard-coded instances of the credentials.

The configurable grace period is provided to allow for changes and updates to be made before the new secret takes over and, potentially, breaks existing code.

This endpoint includes the following methods:

  • POST



This endpoint supports Basic authentication. 

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Identity Cloud Capture domain; for example:


Your Capture domains (also known as Registration domains) can be found in the Console on the Manage Application page:


Example Request

This command creates a new client secret for the API client with the ID 67890fghij67890fghij. Setting the hours_to_live parameter to 24 means that the current client secret will remain valid for 24 hours. During that time you will be to use either the new secret or the old secret; after 24 hours, you will only be able to use the new secret.

curl -X POST \
  -H "Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg="\
  --data-urlencode for_client_id=67890fghij67890fghij \
  --data-urlencode hours_to_live=24\
      Running this command in Postman

Authorized Clients

  • owner


  •  janrain-signed
  •  basic-auth

Query Parameters

Parameter Type Required Description
for_client_id string Yes Client ID for the client whose secret is being reset.
hours_to_live string Yes Integer value between 0 and 168, inclusive, that determines the number of hours in which the old client secret remains valid.


200 OK

Responses Fields

Field Type Description



The new client_secret value replacing the current client_secret.

Example Error Response

Triggered when a request of 320 hours was set with the hours_to_live parameter.

  "argument_name": "hours_to_live",
  "request_id": "zxu4ay2wfg8fb5ud",
  "code": 200,
  "error_description": "hours_to_live was not valid for the following
    reason: hours_to_live must bebetween 0and168",
  "error": "invalid_argument",
  "stat": "error"

Response Example (application/json)

  "new_secret": "abcde12345abcde12345abcde12345",
  "stat": "ok"