Regenerate client secret to a file
regenerate_client_secretRotate a Keycloak confidential client's secret, writing the new value to a local file for secure retrieval; perform a dry run or apply with write=true.
Instructions
Rotate a confidential client's secret and write ONLY the NEW value to a local file (mode 0600, no trailing newline). The secret value is never returned to the caller or logged — the tool returns only metadata. This mutates Keycloak: with write=false (default) it returns a dry-run plan and rotates nothing; with write=true it rotates. Production hosts (us/za) additionally require allowProdWrite in the config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| host | Yes | Target Keycloak host key, as configured in the config file's "hosts" map (or the KC_<HOST>_* env fallback). A host whose "production" flag is true, or absent, is treated as PRODUCTION and its writes are gated by "allowProdWrite". | |
| realm | Yes | Target realm name for the operation. | |
| write | No | false (default) = dry run: report what would happen without changing anything. true = apply the change. Production hosts additionally require KC_ALLOW_PROD_WRITE=true in the server environment. | |
| outPath | Yes | Absolute local file path the secret VALUE is written to (mode 0600). The value is written to this file by the server and is never returned to the caller. | |
| clientId | Yes | The client's clientId (the human-readable OAuth client id, not the UUID). |