Client secrets are used to authenticate Connect Applications when making requests to WorkOS APIs.
When a client secret is first created, the response includes an additional secret field containing the plaintext secret. This is the only time the plaintext secret will be returned.
List all client secrets associated with a Connect Application.
The plaintext secret is never returned after creation. Only the secret hint is included.
cURL
| curl "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.connect.list_application_client_secrets(id: "conn_app_01HXYZ123456789ABCDEFGHIJ") |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.connect.list_application_client_secrets(id_="conn_app_01HXYZ123456789ABCDEFGHIJ") |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Connect().ListApplicationClientSecrets(context.Background(), "conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->connect() | |
| ->listApplicationClientSecrets(id: "conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.connect.listApplicationClientSecrets("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Connect.ListApplicationClientSecretsAsync("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .connect() | |
| .list_application_client_secrets("conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| .await?; | |
| Ok(()) | |
| } |
| [ | |
| { | |
| "object": "connect_application_secret", | |
| "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", | |
| "secret_hint": "abc123", | |
| "last_used_at": null, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| ] |
GET/connect
Parameters
Returns
Create a new client secret for a Connect Application.
This is the only time the plaintext secret will be returned and must be stored securely.
cURL
| curl --request POST \ | |
| --url "https://api.workos.com/connect/applications/conn_app_01HXYZ123456789ABCDEFGHIJ/client_secrets" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.connect.create_application_client_secret(id: "conn_app_01HXYZ123456789ABCDEFGHIJ") |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.connect.create_application_client_secret( | |
| id_="conn_app_01HXYZ123456789ABCDEFGHIJ" | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Connect().CreateApplicationClientSecret(context.Background(), "conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->connect() | |
| ->createApplicationClientSecret(id: "conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.connect.createApplicationClientSecret("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Connect.CreateApplicationClientSecretAsync("conn_app_01HXYZ123456789ABCDEFGHIJ"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .connect() | |
| .create_application_client_secret("conn_app_01HXYZ123456789ABCDEFGHIJ") | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "connect_application_secret", | |
| "id": "secret_01J9Q2Z3X4Y5W6V7U8T9S0R1Q", | |
| "secret_hint": "abc123", | |
| "last_used_at": null, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z", | |
| "secret": "abc123def456ghi789jkl012mno345pqr678stu901vwx234yz" | |
| } |
POST/connect
Parameters
Returns
Webhooks Continue to the next section
Up next