Skip to content

fix: 1. App keys, 2. Rotate client secret, 3. API key errors page(s) update #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tamalchowdhury wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: 1. App keys, 2. Rotate client secret, 3. API key errors page(s) update #733

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b249e16
update the common API key error page
tamalchowdhury May 13, 2026
e92564d
update the app keys page
tamalchowdhury May 13, 2026
7086252
update doc: rotate client secret
tamalchowdhury May 13, 2026
db1928b
fix incorrect token exchange code
tamalchowdhury May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 38 additions & 20 deletions src/content/docs/build/applications/rotate-client-secret.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,47 +1,65 @@
---
page_id: 8f6af95a-14ef-436d-862f-bfa82e836558
title: Rotate client secret
title: Rotate client secret for your application
description: Security guide for rotating client secrets in backend and machine-to-machine applications including step-by-step rotation process and dependency management.
sidebar:
order: 4
label: Rotate client secret
tableOfContents:
maxHeadingLevel: 3
relatedArticles:
- 6c70b7ae-1b1b-43bb-bea1-9b3ec88dd082
- 38d2394f-f064-47a1-89d0-078597b78412
topics:
- applications
- security
- authentication
sdk: []
languages: []
audience: developers
complexity: intermediate
keywords:
- client secret rotation
- security
- backend apps
- M2M apps
- rotate client secret
- backend application security
- M2M application security
- machine to machine apps
- secret management
updated: 2024-01-15
- Kinde client secret
- credential rotation
- application security
updated: 2026-05-13
featured: false
deprecated: false
ai_summary: Security guide for rotating client secrets in backend and machine-to-machine applications including step-by-step rotation process and dependency management.
ai_summary: "This page explains how to rotate the client secret for backend and machine-to-machine (M2M) applications in Kinde. Rotating a client secret involves completely deactivating the old secret, so all dependent apps, connections, and services must be updated with the new secret immediately. The guide covers the step-by-step process: navigating to the application details in the Kinde dashboard, accessing the Admin actions section, and selecting Rotate. Users on paid plans can retain the previous client secret temporarily using the Maintain previous secret toggle, giving time to update dependencies before deleting the old secret. Once the previous secret is deleted, a new rotation can be performed. Client secret rotation is only available for back-end and machine-to-machine applications."
---

To ensure your applications remain secure, you can periodically rotate the Client secret stored in the Kinde-side application.
To ensure your applications remain secure, you can periodically rotate the client secret generated by Kinde.

You can only do this for back-end and machine-to-machine applications.
You can only rotate client secrets for:
- Back-end applications
- Machine to Machine (M2M) applications

Note that you can only rotate a client secret by completely deactivating the old one. So you must update any dependent apps, connections, and services with the new secret ASAP.
<Aside>
You can only rotate a client secret by completely deactivating the old one. You must update any dependent apps, connections, and services with the new secret immediately.
</Aside>

## Rotate client secret in Kinde

1. In Kinde, go to **Settings > Applications**.
2. Select **View details** on the relevant application.
3. Scroll to the **Admin actions** section.
4. If you have previously retained a Client secret you’ll need to delete the previous secret first:
1. Take a copy of the previous secret if you want to.
2. Select **Delete previous client secret.**
5. Select **Rotate**. A confirmation window opens.
6. If you want, opt in to rotate the client secret and retain the old secret. You may need to [upgrade plans](https://kinde.com/pricing/) to do this.
7. If you don’t want to retain the previous secret, or you don’t want to upgrade, leave the switch off.
8. Select **Rotate client secret**.
9. Update any dependent apps, connections, and services with the new secret.
1. Go to your Kinde dashboard and select **View details** on the application you want to rotate the client secret for.
2. Go to **Details** > scroll to the **Admin actions** section.
3. Select **Rotate**. A confirmation window opens.

If you want to retain the previous client secret, enable the **Maintain previous secret** toggle.
<Aside type="upgrade">
You will need a paid plan to retain the previous client secret. See [Kinde pricing](https://kinde.com/pricing/).
</Aside>
4. Select **Rotate client secret**.

## Maintaining the previous client secret

If you kept the previous client secret, you will have options to **copy** or **delete** the previous client secret.

1. Select **Delete previous client secret** before you can rotate to a new client secret.

![Delete previous client secret](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/72e8e7f7-620e-4c77-07bb-18ea106c6600/socialsharingimage)
63 changes: 37 additions & 26 deletions src/content/docs/get-started/connect/getting-app-keys.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
page_id: 38d2394f-f064-47a1-89d0-078597b78412
title: Get application keys
title: Get application keys to connect your codebase
sidebar:
order: 1
label: Get app keys
tableOfContents:
maxHeadingLevel: 3
description: Guide to obtaining and managing Kinde application keys including client ID, client secret, and security best practices for credential management.
relatedArticles:
- 684fc526-a338-4a67-9af6-742a39b66aff
Expand All @@ -23,50 +26,58 @@ audience:
complexity: beginner
keywords:
- app keys
- application keys
- client id
- client secret
- rotate client secret
- M2M application
- front-end applications
- PKCE
- credentials
- secrets manager
- environment variables
- security
updated: 2024-01-15
updated: 2026-05-13
featured: false
deprecated: false
ai_summary: Guide to obtaining and managing Kinde application keys including client ID, client secret, and security best practices for credential management.
ai_summary: "This guide explains how to find, copy, and use Kinde application keys (App keys) — the credentials required to connect a codebase to Kinde. Each application has a unique set of keys in its settings page, including a Kinde-issued domain, an optional custom domain, a client ID, and a client secret (back-end and M2M applications only). The guide walks through viewing and copying keys, then linking them to an application via the relevant SDK. It also covers three common questions: client secrets for back-end and M2M applications can be rotated directly, while front-end applications such as single-page apps and mobile apps have no client secret because their source code is publicly accessible and authorization is handled via the Authorization Code Flow with PKCE; and client secrets should be stored in a secure environment such as a secrets manager, with .env or configuration files excluded from version control via .gitignore."
---

Application keys - or app keys - are credentials that you need to connect your project to Kinde. There are unique app keys for each application you have. This includes each machine to machine, front-end, back-end, or single-page application, etc.
Application keys or **App keys** are credentials that you need to connect your codebase to Kinde. Each application and type has a unique set of keys you will find in the settings page for your application. Learn more about [applications in Kinde](/build/applications/about-applications/).

For more information about Kinde apps, see [Applications in Kinde](/build/applications/about-applications/).
## View and copy app keys

## About app keys
1. Go to your Kinde dashboard and select **View details** on the application you want to connect.
2. Go to **Details** > scroll to the **App keys** section.

In the App keys section of your application in Kinde, you’ll find these details:
You will find the following keys:
- **Custom domain** - if you have [configured a custom domain](/build/domains/pointing-your-domain/)
- **Domain** - this is the domain issued by Kinde
- **Client ID** - unique for this app
- **Client secret** - unique for this app (only back-end and M2M apps have client secrets)

- **Custom domain** - if you have opted to use one
- **Domain** - this is the domain issued by Kinde
- **Client ID** - unique for this app
- **Client secret** - unique for this app (only back-end and M2M apps have client secrets)
3. Select the **Copy** icon next to the key you want to copy.
4. Add the app keys to your application by following the instructions in the relevant [SDK](/developer-tools/about/our-sdks/).

<Aside title="Rotating client secrets in Kinde">
## App key FAQs

You can only rotate client secrets for M2M applications. For backend applications, follow [these token security principles](/build/tokens/refresh-tokens/#token-security-recommendations).
### How can I rotate my client secret?

</Aside>
You can rotate client secrets for your back-end and M2M applications.

## View and copy app keys
1. Go to the **Details** page of your application.
2. Scroll to the **Admin actions** section.
3. Select **Rotate client secret**.
4. Follow the prompts to rotate your client secret.

Learn more about how to [rotate your client secret](/build/applications/rotate-client-secret/).

1. Go to **Settings > Environment > Applications**.
2. Find the application you want to connect.
3. On the application tile, select **View details**.
4. Scroll to the **App keys** section.
5. Select **Copy** to copy the keys.
6. Make sure you securely store and manage your client secret as it provides access to your Kinde account for your product.
### Why don't front-end applications have a client secret?

<Aside>
Front-end applications such as single-page apps or mobile apps do not have a client secret because their source code is publicly available. Anyone can download the compiled package and see the client secret.

Note that front-end (client-side) applications do not have a client secret because they run in insecure environments, typically a browser.
Learn more about how authorization works for front-end applications in [Authorization Code Flow with PKCE](https://www.kinde.com/learn/authentication/protocols/oauth-grant-types-explained/#2-proof-key-for-code-exchange-pkce).

</Aside>
### How can I securely store my client secret?

7. Add the app key details to the .env file in your code base or starter kit. Follow the instructions in the relevant [SDK](/developer-tools/about/our-sdks/) or the README file in the starter kit.
8. Do this for each application you want to connect.
Store your client secret in a secure environment, such as a secrets manager. Add your `.env` or configuration file to `.gitignore` to prevent it from being committed to your codebase.
Loading
Loading