Last updated Dec 6, 2021

Rotating an OAuth 2.0 client ID and secret

The clientId of a Forge app is stored in the providers section of the manifest.yml file and the secret is set by running the providers command in the Forge CLI.

Due to the clientId being stored in the manifest.yml file, the clientId value gets versioned over time. This means that users on the old version of the app will continue to use the old clientId until they upgrade to the latest version of the app.

Learn more about Forge versions.

Changing the client ID

  1. In the providers.auth section of the manifest.yml file, change the client ID.

  2. Navigate to the app's top-level directory and deploy your app by running:

    forge deploy

This causes a major version upgrade of your app. Users are required to upgrade to the latest version.

Setting the new client secret

  1. Set the client secret by running:

    forge providers configure
  2. Select the provider you want to configure.

  3. Enter the new secret.

In the time between deploying the app and setting the new secret, users who upgrade to a new major version do not have a secret set.

Rate this page: