Get client secret
keycloak_client_get_secretGet the current secret of a confidential Keycloak client. Returns masked secret by default; pass reveal=true for plaintext.
Instructions
Read the current secret of a confidential (non-public) realm client. Read-only and idempotent; it does not change the secret. By default the secret is returned masked; pass reveal=true to return the plaintext value. Use keycloak_client_get to confirm a client is confidential first, and keycloak_client_regenerate_secret to rotate it. Returns the (masked or plaintext) secret string, or "Client not found." when no client matches.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| reveal | No | When true, return the plaintext secret; when false or omitted (default), return a masked value. Set to true only when the caller actually needs the raw secret. | |
| clientId | Yes | The client's clientId (the human-readable OAuth/OIDC client identifier, e.g. "my-app"), not the internal UUID. Required. The client must be confidential (publicClient=false) to have a secret. |