Reset an API Client Client Secret

Endpoint URL: {identityDomain} /config/{appId} /clients/{apiClientId} /secret

Important. It's highly-recommended that you contact Akamai support (or your Identity Cloud representative) before you change the client secret for an owner client. That's because changing an owner client secret can have repercussions that go beyond simply assigning a new secret to the client. Note that this is especially true for organizations running Hosted Login. See this article for more information.


Resets the client secret for an API client. The client secret, for our purposes, is the password for the API client, and should be reset if you believe this secret has been exposed to unauthorized users, if a user who had access to the secret has left your organization, and so on. 

When resetting a client secret, the request body of your API call must include the hoursToLive property. When you reset a client secret, the new secret takes effect immediately; at the same time, you can allow the old secret to remain in effect for as long as one week (168 hours). (That means that, for the specified amount of time, the API client will have two valid secrets: the old secret and the new secret.) The specified amount of time is dictated by the hoursToLive property, which can be set to any integer value between 0 hours and 168 hours, inclusive. Setting hoursToLive to 0 causes the old secret to expire as soon as the new secret takes effect.

Your API call must have the owner permission in order to reset a client secret.

Respects the API Client Allow List:  Yes

API Client Permissions

The following table indicates the API clients that can (and the API clients that can't) be used to call this endpoint:



This endpoint supports Basic authentication. 

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Configuration API domain followed by /config/ followed by your application ID. For example, if you are in the US region and your application ID is htb8fuhxnf8e38jrzub3c7pfrr, then your base URL would be:        

Allowed regions are:

  • us 
  • eu 
  • au 
  • sa 
  • cn
  • sg

Sample Request (curl)

This command resets the client secret for the API client with the client ID nmub5w3rru9k6rzupqaeb7bbwv6jn658. In addition, the command sets the hoursToLive property to 4 hours. That means that, for the next 4 hours, you can use either the old secret or the new secret when working with the API client. After those 4 hours have elapsed, only the new client secret will be valid.

curl -X PUT \ \
  -H 'Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg' \
  -H 'Content-Type: application/json' \
  -d '{    
     "hoursToLive": "4"

      Running this command in Postman


200 OK

If the client secret is successfully reset, the new secret will be displayed onscreen:

   "secret": "gd98kuyeg4xegv9t5es72x8r374nhgf"

Error Codes

The following table includes information about some of the error codes that you could encounter when calling this endpoint.

Error Code



Error Message: Missing data for required field.

You failed to include hoursToLive property.


Error Message: Must be between 0 and 168.

The hoursToLive property must be set to an integer value between 0 and 168, inclusive.


Error Message: Authentication required.

You either failed to provide credentials or provided invalid credentials. This endpoint requires Basic authentication.


Error Message: Client ID not found.
Error Message: Application ID not found.

You did not provide a valid application and/or client ID.

If you encounter an error when calling this endpoint that error message will look similar to this:

   "errors": "Authentication required."