---
title: Application Secret
description: The application secret endpoints are available to users or worker applications only when the following conditions are met:
component: pingone-api
page_id: pingone-api:platform:applications/application-secret
canonical_url: https://developer.pingidentity.com/pingone-api/platform/applications/application-secret.html
section_ids:
  best-practices: Best practices
  applications-secret-data-model: Applications secret data model
  response-codes: Response codes
---

# Application Secret

The application secret endpoints are available to users or worker applications only when the following conditions are met:

* The actor has the requisite permission: `applications:read:secret`, `applications:update:secret`, or `applications:delete:secret`.

* The actor does not see any of the application's role assignments as `readOnly`. **Note:** This only applies if the application is a worker application. Learn more about the `readOnly` property in the [Applications role assignments data model table](application-role-assignments.html#applications-role-assignment-data-model).

An actor's ability to access application secrets is restricted to prevent permission escalation. Permission escalation is when an actor can perform operations indirectly through the application that they'd be unable to perform directly.

|   |                                                                                        |
| - | -------------------------------------------------------------------------------------- |
|   | Due to potential security issues, a worker app cannot read its own application secret. |

## Best practices

* Do not store an application secret in applications that are publicly available.

* For security purposes, regenerate application secrets regularly.

* If you suspect an application secret has been compromised, generate a new application secret immediately.

## Applications secret data model

| Property             | Type      | Required? | Mutable?  | Description                                                                                                                                                                                                                         |
| -------------------- | --------- | --------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `environment.id`     | String    |           | Read-only | The environment associated with the application.                                                                                                                                                                                    |
| `previous`           | Object    | Optional  | Read only | An object that specifies the previous secret, when it expires, and when it was last used.                                                                                                                                           |
| `previous.secret`    | String    | N/A       | Read only | A string that specifies the previous application secret. This property is returned in the response if the previous secret is not expired.                                                                                           |
| `previous.expiresAt` | Timestamp | Optional  | Read only | A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days.                                                                                          |
| `previous.lastUsed`  | Timestamp | Optional  | Read only | A timestamp that specifies when the previous secret was last used.                                                                                                                                                                  |
| `secret`             | String    | Required  | Read-only | The application secret ID used to authenticate to the authorization server. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key. |

## Response codes

|   |                                                                                                                                                                                                  |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | The `/environments/{{envID}}/applications/{{appID}}/secret` endpoint returns a `404 NOT FOUND` if the application's type property is set to `PING_ONE_ADMIN_CONSOLE` or `PING_ONE_SELF_SERVICE`. |

| Code | Message                                                               |
| ---- | --------------------------------------------------------------------- |
| 200  | Successful operation.                                                 |
| 201  | Successfully created.                                                 |
| 400  | The request could not be completed.                                   |
| 401  | You do not have access to this resource.                              |
| 403  | You do not have permissions or are not licensed to make this request. |
| 404  | The requested resource was not found.                                 |
| 500  | An unexpected error occurred.                                         |

> **Collapse: Related topics**
>
> * [Administrator permissions and role assignments](../../foundations/pingone-roles-scopes-and-permissions/administrator-permissions-and-role-assignments.html)