--- title: Resource Secret description: The client secret endpoint is available to users or worker resources only if they have a superset of the resource's role assignments. component: pingone-api page_id: pingone-api:platform:resources/resource-secret canonical_url: https://developer.pingidentity.com/pingone-api/platform/resources/resource-secret.html section_ids: best-practices: Best practices resource-client-secret-data-model: Resource client secret data model resource-client-secret-events-generated: Resource client secret events generated response-codes: Response codes --- # Resource Secret The client secret endpoint is available to users or worker resources only if they have a superset of the resource's role assignments. Access to the resource's client secret is restricted based on the accessing user's or resource's role assignments. For example, if a client has the Environment Admin role, an actor with an Identity Admin role cannot see the client secret. This restriction addresses privilege escalation issues by preventing the Identity Admin user from doing things with the client that the Identity Admin role assignment does not allow. ## Best practices * Do not store a resource's client secret in applications that are publicly available. * For security purposes, regenerate client secrets regularly. * If you suspect a resource's client secret has been compromised, generate a new client secret immediately. ## Resource client secret data model | Property | Type | Required? | Mutable? | Description | | -------------------- | --------- | --------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `environment.id` | String | | Read-only | The environment associated with the resource. | | `previous` | Object | Optional | Read only | An object that specifies the resource's previous secret, when it expires, and when it was last used. | | `previous.secret` | String | N/A | Read only | A string that specifies the resource's previous secret. This property is returned in the response if the previous secret is not expired. | | `previous.expiresAt` | Timestamp | Optional | Read only | A timestamp that specifies how long this secret is saved (and can be used) before it expires. Supported time range is 1 minute to 30 days. | | `previous.lastUsed` | Timestamp | Optional | Read only | A timestamp that specifies when the previous secret was last used. | | `secret` | String | N/A | Read-only | An auto-generated resource client secret. Possible characters are `a-z`, `A-Z`, `0-9`, `-`, `.`, `_`, `~`. The secret has a minimum length of 64 characters per SHA-512 requirements when using the HS512 algorithm to sign ID tokens using the secret as the key. | ## Resource client secret events generated Refer to [Audit Reporting Events](../audit-activities.html#audit-reporting-events) for the events generated. ## Response codes | Code | Message | | ---- | ---------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 204 | Successfully removed. No content. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 404 | The requested resource was not found. |