Endpoint URL: {registrationDomain} /clients/reset_secret
Important. It's highly-recommended that you contact Akamai support (or your Identity Cloud representative) before you change the client secret for an owner client. That's because changing an owner client secret can have repercussions that go beyond simply assigning a new secret to the client. Note that this is especially true for organizations running Hosted Login. See this article for more information.
Description
Generates a new client secret for the specified API client. Optionally, the old client secret can remain valid for a specified grace period (up to 168 hours). In effect, the API client would then have two clients secrets: the new secret and the old secret. After the grace period has expired only the new secret will be valid.
If you have a security issue, you can use this endpoint to change a client's client_secret value. This is typically preferable to generating a new client/secret pair, which would involve changing everything from permissions to access schemas to hard-coded instances of the credentials.
The configurable grace period is provided to allow for changes and updates to be made before the new secret takes over and, potentially, breaks existing code.
Respects the API Client Allow List: Yes
API Client Permissions
The following table indicates the API clients that can (and the API clients that can't) be used to call this endpoint:
owner | access_issuer | direct_access | direct_read_access | login_client |
Yes | No | No | No | No |
Authentication
This endpoint supports Basic authentication.
How to Create an Authentication String
Base URL
The base URL for this endpoint is your Identity Cloud Capture domain; for example:
https://educationcenter.us-
Your Capture domains (also known as Registration domains) can be found in the Console on the Manage Application page:
Examples
Example Request
This command creates a new client secret for the API client with the ID 67890fghij67890fghij. Setting the hours_to_live parameter to 24 means that the current client secret will remain valid for 24 hours. During that time you will be to use either the new secret or the old secret; after 24 hours, you will only be able to use the new secret.
curl -X POST \ -H "Authorization: Basicc2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg="\ --data-urlencode for_client_id=67890fghij67890fghij \ --data-urlencode hours_to_live=24\ https://my-app.janraincapture.com/clients/reset_secret
Running this command in Postman
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| for_client_id | string | Yes | Client ID for the client whose secret is being reset. |
| hours_to_live | string | Yes | Integer value between 0 and 168, inclusive, that determines the number of hours in which the old client secret remains valid. |
Responses
200 OK
Responses Fields
| Field | Type | Description |
|---|---|---|
new_secret | dictionary | The new client_secret value replacing the current client_secret. |
Example Error Response
Triggered when a request of 320 hours was set with the hours_to_live parameter.
{
"argument_name": "hours_to_live",
"request_id": "zxu4ay2wfg8fb5ud",
"code": 200,
"error_description": "hours_to_live was not valid for the following
reason: hours_to_live must bebetween 0and168",
"error": "invalid_argument",
"stat": "error"
}
Response Example (application/json)
{
"new_secret": "abcde12345abcde12345abcde12345",
"stat": "ok"
}
