Client secrets are used to authenticate Connect Applications when making requests to WorkOS APIs.
When a client secret is first created, the response includes an additional secret field containing the plaintext secret. This is the only time the plaintext secret will be returned.
List all client secrets associated with a Connect Application.
The plaintext secret is never returned after creation. Only the secret hint is included.
curl "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ --header "Authorization: Bearer sk_example_123456789"
[ { "object": "connect_application_secret", "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", "secret_hint": "abc123", "last_used_at": null, "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } ]
| curl "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.connect.list_application_client_secrets(id: "conn_app_01HXYZ123456789ABCDEFGHIJ") |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.connect.list_application_client_secrets(id_="conn_app_01HXYZ123456789ABCDEFGHIJ") |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Connect().ListApplicationClientSecrets(context.Background(), "conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->connect() | |
| ->listApplicationClientSecrets(id: "conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.connect.listApplicationClientSecrets("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Connect.ListApplicationClientSecretsAsync("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .connect() | |
| .list_application_client_secrets("conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| .await?; | |
| Ok(()) | |
| } |
| [ | |
| { | |
| "object": "connect_application_secret", | |
| "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", | |
| "secret_hint": "abc123", | |
| "last_used_at": null, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| ] |
GET/connectParameters Returns Create a new client secret for a Connect Application.
This is the only time the plaintext secret will be returned and must be stored securely.
curl --request POST \ --url "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ --header "Authorization: Bearer sk_example_123456789"
{ "object": "connect_application_secret", "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", "secret_hint": "abc123", "last_used_at": null, "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z", "secret": "abc123def456ghi789jkl012mno345pqr678stu901vwx234yz" }
| curl --request POST \ | |
| --url "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.connect.create_application_client_secret(id: "conn_app_01HXYZ123456789ABCDEFGHIJ") |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.connect.create_application_client_secret( | |
| id_="conn_app_01HXYZ123456789ABCDEFGHIJ" | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Connect().CreateApplicationClientSecret(context.Background(), "conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->connect() | |
| ->createApplicationClientSecret(id: "conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.connect.createApplicationClientSecret("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Connect.CreateApplicationClientSecretAsync("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .connect() | |
| .create_application_client_secret("conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "connect_application_secret", | |
| "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", | |
| "secret_hint": "abc123", | |
| "last_used_at": null, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z", | |
| "secret": "abc123def456ghi789jkl012mno345pqr678stu901vwx234yz" | |
| } |
POST/connectParameters Returns Delete (revoke) an existing client secret.
curl -X DELETE https://api.workos.com/connect/client_secrets/secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q \ --header "Authorization: Bearer sk_example_123456789"
require "workos" WorkOS.configure do |config| config.api_key = "sk_example_123456789" end WorkOS.client.connect.delete_client_secret(id: "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q")
from workos import WorkOSClient client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") client.connect.delete_client_secret(id_="secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q")
package main import ( "context" "github.com/workos/workos-go/v9" ) func main() { client := workos.NewClient("sk_example_123456789") _, err := client.Connect().DeleteClientSecret(context.Background(), "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q") if err != nil { panic(err) } }
<?php use WorkOS\WorkOS; $workos = new WorkOS( apiKey: "sk_example_123456789", clientId: "client_123456789", ); $workos->connect()->deleteClientSecret(id: "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q");
import com.workos.WorkOS; WorkOS workos = new WorkOS("sk_example_123456789"); workos.connect.deleteClientSecret("secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q");
using WorkOS; var client = new WorkOSClient(new WorkOSOptions { ApiKey = "sk_example_123456789", ClientId = "client_123456789", }); await client.Connect.DeleteClientSecretAsync("secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q");
use workos::Client; #[tokio::main] async fn main() -> Result<(), workos::Error> { let client = Client::builder() .api_key("sk_example_123456789") .client_id("client_123456789") .build(); let _result = client .connect() .delete_client_secret("secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q") .await?; Ok(()) }
DELETE/connectParameters Returns