Genesys Cloud
OAuth client secret no longer visible after creation
| Announced on | Effective date | Aha! idea |
|---|---|---|
| 2025-02-10 | - | Aha! link |
In a future release, Genesys Cloud will improve OAuth client security by limiting access to the client secret. Currently, administrators can view the OAuth client secret at any time in the Admin UI and retrieve it via certain API responses. After this change, the client secret will only be visible when a new OAuth client is created or when a new secret is generated. This change strengthens OAuth security by reducing exposure to sensitive credentials while giving administrators time to adjust their processes. By allowing access only at creation/reset, Genesys Cloud encourages best practices for secure credential management.
Note: Administrators must copy and store the secret securely, since it will not be retrievable later.
Transition plan
Remove client secret from the admin UI
- The client secret will only be visible at creation/reset.
- A UI prompt reminds administrators to copy and securely store the secret.
- The secret will still be retrievable via API during this phase to help with the transition.
Remove client secret from API responses
The client secret will no longer be returned in API responses, including:
- GET /api/v2/oauth/clients/{clientid}
- PUT /api/v2/oauth/clients/{clientid}
This means administrators and applications will no longer be able to retrieve the client secret after creation/reset. Also, there is no change to the behavior for POST /api/v2/oauth/clients. The client secret will still be returned via API on client creation or client secret reset when using the POST command.
Action required
Before this change takes effect, administrators must:
- Review existing OAuth clients and ensure that all necessary secrets are securely stored.
- Update any workflows that rely on retrieving the client secret from the API.
For more information, see the UI Change: Removal of OAuth Client Secret for Admin UI community post.
