Resource Secret
The client secret endpoint is available to users or worker resources only if they have a superset of the resource’s role assignments.
Access to the resource’s client secret is restricted based on the accessing user’s or resource’s role assignments. For example, if a client has the Environment Admin role, an actor with an Identity Admin role cannot see the client secret. This restriction addresses privilege escalation issues by preventing the Identity Admin user from doing things with the client that the Identity Admin role assignment does not allow.
Best practices
-
Do not store a resource’s client secret in applications that are publicly available.
-
For security purposes, regenerate client secrets regularly.
-
If you suspect a resource’s client secret has been compromised, generate a new client secret immediately.
Resource client secret data model
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
|
String |
Read-only |
The environment associated with the resource. |
|
|
Object |
Optional |
Read only |
An object that specifies the resource’s previous secret, when it expires, and when it was last used. |
|
String |
N/A |
Read only |
A string that specifies the resource’s previous secret. This property is returned in the response if the previous secret is not expired. |
|
Timestamp |
Optional |
Read only |
A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days. |
|
Timestamp |
Optional |
Read only |
A timestamp that specifies when the previous secret was last used. |
|
String |
N/A |
Read-only |
An auto-generated resource client secret. Possible characters are |
Resource client secret events generated
Refer to Audit Reporting Events for the events generated.