Currently Auth0 provides a global client id/secret pair for legacy APIs: https://manage.auth0.com/#/account/advanced
Is there any way to disable these entirely? They represent a fairly significant potential security concern if ever leaked since they can’t be easily changed, and since there’s only one pair it’s difficult to coordinate rotation.
I’ve been instructed in the past that it’s possible to change the global secret via the API itself, but at the time this resulted in users credentials being invalidated. I’d rather disable the feature entirely and fall back to individual client IDs.