Every client gets a Client ID and a Client Secret generated at time of Setup. The secret is an opaque token, a secret string. It must be stored securely on the client side. Exposing it may provide access to an attacker to pose as the client.
The ID and secret have to be passed as Basic Auth in the OAuth authorization flow when exchanging the authorization code for a JWT access token.
Showing a Client ID and Client Secret at client setup time
Secret Regenerate
The Client Secret is generated and shown only at setup time. You must copy and store the secret securely. The SSO service stores only a hash of the secret, so if lost, it has to be regenerated.
