GOV.UK
Authorisation
Credentials
Your credentials are your client ID and your client secret.
Credentials are used:
- to identify and authorise your application during each step of an OAuth 2.0 journey
- when you test your application with sandbox APIs
Client ID
Your client ID is a unique identifier we create when you add your application to the Developer Hub.
Client secrets
Client secrets are unique passphrases that you generate to authorise your application. They are known only to your application and the authorising server.
The client secret is the equivalent of a password and should not be stored in plain text. Only store an encrypted version of the client secret to reduce the chance of it being compromised.
Rotate your client secret regularly
Rotate your application’s client secret to shorten the period an access key is active, reducing the impact to your business if it is compromised.
To rotate your client secret:
- Generate a new client secret, in addition to the one used by your application
- Update your application to use the new client secret
- Check that your application is working with the new client secret
- Delete the inactive client secret
You can have up to 5 client secrets at any time.