Summary
We’re enhancing security by updating the length of OAuth client secrets.**
What’s changing?
We are making changes to the number of characters used for OAuth client secrets. Client secrets are currently a fixed length of 16 characters. Following this change, client secrets will have a length in the range of 20 to 22 characters.
Why this matters?
This change is being implemented for increased security and to assist with identification of client secrets stored insecurely on public repositories.
Effective Date
Monday, April 27, 2026
Customer Impact
What you need to do?
If you use any automation processes which assume a fixed character length for OAuth client secrets, you will need to update these processes to allow for a longer variable length client secret. Following this change, client secrets will have a length in the range of 20 to 22 characters.
Impacted Resources
GET /api/v2/oauth/clients
PUT or GET /api/v2/oauth/clients/{clientId}
POST /api/v2/oauth/clients/{clientId}/secret
Issue References
IAM-4113
Contacts
@David Murray Please reply to this announcement with any questions. This helps the wider developer community benefit from the discussion. We encourage you to use this thread before contacting the designated person directly. Thank you for your understanding.