Reset an API Client Client Secrtet

Endpoint URL: {registrationDomain} /clients/reset_secret

Important. It's highly-recommended that you contact Akamai support (or your Identity Cloud representative) before you change the client secret for an owner client. That's because changing an owner client secret can have repercussions that go beyond simply assigning a new secret to the client. Note that this is especially true for organizations running Hosted Login. See this article for more information.


Generates a new client secret for the specified API client. Optionally, the old client secret can remain valid for a specified grace period (up to 168 hours). In effect, the API client would then have two clients secrets: the new secret and the old secret. After the grace period has expired only the new secret will be valid.

If you have a security issue, you can use this endpoint to change a client's client_secret value. This is typically preferable to generating a new client/secret pair, which would involve changing everything from permissions to access schemas to hard-coded instances of the credentials.

The configurable grace period is provided to allow for changes and updates to be made before the new secret takes over and, potentially, breaks existing code.

Respects the API Client Allow List: Yes

API Client Permissions

The following table indicates the API clients that can (and the API clients that can't) be used to call this endpoint:



This endpoint supports Basic authentication. 

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Identity Cloud Capture domain; for example:

Your Capture domains (also known as Registration domains) can be found in the Console on the Manage Application page:


Example Request

This command creates a new client secret for the API client with the ID 67890fghij67890fghij. Setting the hours_to_live parameter to 24 means that the current client secret will remain valid for 24 hours. During that time you will be to use either the new secret or the old secret; after 24 hours, you will only be able to use the new secret.

curl -X POST \
  -H "Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg="\
  --data-urlencode for_client_id=67890fghij67890fghij \
  --data-urlencode hours_to_live=24\

      Running this command in Postman

Query Parameters

for_client_idstringYesClient ID for the client whose secret is being reset.
hours_to_livestringYesInteger value between 0 and 168, inclusive, that determines the number of hours in which the old client secret remains valid.


200 OK

Responses Fields




The new client_secret value replacing the current client_secret.

Example Error Response

Triggered when a request of 320 hours was set with the hours_to_live parameter.

  "argument_name": "hours_to_live",
  "request_id": "zxu4ay2wfg8fb5ud",
  "code": 200,
  "error_description": "hours_to_live was not valid for the following
    reason: hours_to_live must bebetween 0and168",
  "error": "invalid_argument",
  "stat": "error"

Response Example (application/json)

  "new_secret": "abcde12345abcde12345abcde12345",
  "stat": "ok"