Client id vs secret

when do we need to send Client id vs Secret (is it based on whether the client is non-interactive)?
Also I am confused regarding the certificate: when do we need to use it?


The client id is just an identifier for the client you’re using for authentication. It can be publicly shared. The client secret should be protected and not shared publicly. If ever the client secret gets compromised, you should rotate it. Anyone with the client id and secret could just do a client credentials authentication and get authorized.

I think you first need to determine which OAuth 2.0 flow you should use and then you can see the How to implement the flow section from the grant you’ve chosen, linked in that document. A few examples are:

but can I just send the secret (without clientId) to do an authentication and get authorized.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.