O'Reilly logo
  • Jason Marley thinks this is interesting:

Just as with your own personal credentials for various accounts and websites, you should rotate your client credentials as well. Set an interval, say, every 6 months, or every major release (depending on the security needs of your application, this may be longer or shorter) where you will request a new client secret and invalidate your old one. This will minimize the impact in the case that your client secret gets leaked.

From

Cover of Mastering OAuth 2.0

Note

This is a good practice and one to take note for production systems.