/clients/reset_secret

Generates a new client secret for the specified API client. Optionally, the old client secret can remain valid for a specified grace period (up to 168 hours). In effect, the API client would then have two clients secrets: the new secret and the old secret. After the grace period has expired only the new secret will be valid.

If you have a security issue, you can use this endpoint to change a client's client_secret value. This is typically preferable to generating a new client/secret pair, which would involve changing everything from permissions to access schemas to hard-coded instances of the credentials.

The configurable grace period is provided to allow for changes and updates to be made before the new secret takes over and, potentially, breaks existing code.

This endpoint includes the following methods:

POST

POST

Authentication

This endpoint supports Basic authentication.

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Identity Cloud Capture domain; for example:

https://educationcenter.us-dev.janraincapture.com

Your Capture domains (also known as Registration domains) can be found in the Console on the Manage Application page:

Examples

Example Request

This command creates a new client secret for the API client with the ID 67890fghij67890fghij. Setting the hours_to_live parameter to 24 means that the current client secret will remain valid for 24 hours. During that time you will be to use either the new secret or the old secret; after 24 hours, you will only be able to use the new secret.


curl -X POST \
  -H "Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg="\
  --data-urlencode for_client_id=67890fghij67890fghij \
  --data-urlencode hours_to_live=24\
  https://my-app.janraincapture.com/clients/reset_secret

Running this command in Postman

Authorized Clients

owner

Security

janrain-signed
basic-auth

Query Parameters

Parameter	Type	Required	Description
for_client_id	string	Yes	Client ID for the client whose secret is being reset.
hours_to_live	string	Yes	Integer value between 0 and 168, inclusive, that determines the number of hours in which the old client secret remains valid.

Responses

200 OK

Responses Fields

Field	Type	Description
new_secret	dictionary	The new client_secret value replacing the current client_secret.

Example Error Response

Triggered when a request of 320 hours was set with the hours_to_live parameter.


{
  "argument_name": "hours_to_live",
  "request_id": "zxu4ay2wfg8fb5ud",
  "code": 200,
  "error_description": "hours_to_live was not valid for the following
    reason: hours_to_live must bebetween 0and168",
  "error": "invalid_argument",
  "stat": "error"
}

Response Example (application/json)


{
  "new_secret": "abcde12345abcde12345abcde12345",
  "stat": "ok"
}

How to Create an Authentication String

To create an authentication string, combine your API client ID, a colon (:), and your client secret into a single value. For example, if your client ID is abcdefg and your client secret is hijklmnop, that value would look like this:

abcdefg:hijklmnop

Next, take the string and base64 encode it. For example, on a Mac, you can base encode the string using this command:

echo -n "abcdefg:hijklmnop" | base64

If you’re running Microsoft Windows, you can encode the string by using a Windows PowerShell command similar to this:

[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("abcdefg:hijklmn"))

The resulting value (e.g., YWJjZGVmZzpoaWprbG1ub3A=) should be used in your authentication header.

If you are making API calls using Postman, select Basic Auth as your identification type, then use the client ID as the username and the client secret as the password.

Before you actually try your authentication string, make sure that your API client has the all the permissions (for example, the right to read user profile information) needed to complete the API call.

POST

Running this Command in Postman

How to Create an Authentication String