Application Secret

The application secret endpoints are available to users or worker applications only when the following conditions are met:

The actor has the requisite permission: applications:read:secret, applications:update:secret, or applications:delete:secret.
The actor does not see any of the application’s role assignments as readOnly. Note: This only applies if the application is a worker application. Learn more about the readOnly property in the Applications role assignments data model table.

An actor’s ability to access application secrets is restricted to prevent permission escalation. Permission escalation is when an actor can perform operations indirectly through the application that they’d be unable to perform directly.

Due to potential security issues, a worker app cannot read its own application secret.

Best practices

Do not store an application secret in applications that are publicly available.
For security purposes, regenerate application secrets regularly.
If you suspect an application secret has been compromised, generate a new application secret immediately.

Applications secret data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`environment.id`	String		Read-only	The environment associated with the application.
`previous`	Object	Optional	Read only	An object that specifies the previous secret, when it expires, and when it was last used.
`previous.secret`	String	N/A	Read only	A string that specifies the previous application secret. This property is returned in the response if the previous secret is not expired.
`previous.expiresAt`	Timestamp	Optional	Read only	A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days.
`previous.lastUsed`	Timestamp	Optional	Read only	A timestamp that specifies when the previous secret was last used.
`secret`	String	Required	Read-only	The application secret ID used to authenticate to the authorization server. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key.

environment.id

String

Read-only

The environment associated with the application.

previous

Object

Optional

Read only

An object that specifies the previous secret, when it expires, and when it was last used.

previous.secret

String

N/A

Read only

A string that specifies the previous application secret. This property is returned in the response if the previous secret is not expired.

previous.expiresAt

Timestamp

Optional

Read only

A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days.

previous.lastUsed

Timestamp

Optional

Read only

A timestamp that specifies when the previous secret was last used.

secret

String

Required

Read-only

The application secret ID used to authenticate to the authorization server. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key.

Response codes

The /environments/{{envID}}/applications/{{appID}}/secret endpoint returns a 404 NOT FOUND if the application’s type property is set to PING_ONE_ADMIN_CONSOLE or PING_ONE_SELF_SERVICE.

Code	Message
200	Successful operation.
201	Successfully created.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.
500	An unexpected error occurred.

PingOne Platform APIs

Application Secret

Best practices

Applications secret data model

Response codes