Basic Question on Client Secret

Does changing the client secret log out all users on SSO, causing them to have to log back in?


Hi @roby.lee

Welcome to Auth0 Community :clap:

Is your application a SPA or web app ?

Client secrets are only required for backend channel calls from secure applications. You can read more about type of applicationshere.

Users who are logged in from the front end will not be impacted when you change client secrets. BUT you would require to change your backend services to use a new secret for Auth0 authentication.



Thanks @jeff0

I have changed the secret already, and it is just a matter of me changing it in Auth0 and activating it. When I do that, will users SSO sessions be terminated and they will have to re-authenticate with user and password’?

Hi @roby.lee

User session is terminated if either

  • refresh token own by user is revoked
  • user changes password
  • Application terminates the session
  • User is redirect to logout endpoint

In your scenario user will not be impacted.

How did you change in backend first and not in Auth0? Auth0 rotation must be done first to get a new secret. Is that what you meant ?

Hope it helps


I am working collaboratively with users on another platform. They have a new secret generated that is not active on the backend yet. When they are ready, they will activate it and I will change it in Auth0.

Hopefully that context makes sense. Regardless, your answer helped me. I appreciate it!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.