Dump client secret to a file
dump_client_secretFetch a confidential client's current secret and write its value to a local file. The secret is never exposed to the caller or logs.
Instructions
Fetch a confidential client's current secret and write ONLY the value to a local file (mode 0600, no trailing newline). The secret value is never returned to the caller or logged — the tool returns only metadata (path, byte length). This is a read against Keycloak (no mutation), so it is not write-gated.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| host | Yes | Target Keycloak host key, as configured in the config file's "hosts" map (or the KC_<HOST>_* env fallback). A host whose "production" flag is true, or absent, is treated as PRODUCTION and its writes are gated by "allowProdWrite". | |
| realm | Yes | Target realm name for the operation. | |
| outPath | Yes | Absolute local file path the secret VALUE is written to (mode 0600). The value is written to this file by the server and is never returned to the caller. | |
| clientId | Yes | The client's clientId (the human-readable OAuth client id, not the UUID). |