Regenerate client secret
keycloak_client_regenerate_secretRegenerate a confidential client's secret, invalidating the previous one. Requires explicit confirmation to prevent accidental changes.
Instructions
Regenerate (rotate) a confidential client's secret. This is a destructive, non-idempotent write: it invalidates the previous secret, which immediately stops working, so any system using the old value must be updated. Requires explicit confirmation via confirm=true (otherwise it aborts without changing anything). Use keycloak_client_get_secret to read the current secret without rotating. Returns the new plaintext secret, or a reason string when not regenerated.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| confirm | No | Must be true to actually rotate the secret. When false or omitted (default), the operation is aborted and nothing is changed; this is a safeguard against accidental rotation. | |
| clientId | Yes | The client's clientId (the human-readable OAuth/OIDC client identifier), not the internal UUID. Required. The client must be confidential (publicClient=false). |