O'Reilly logo
  • Jason Marley thinks this is interesting:

Just as with your own personal credentials for various accounts and websites, you should rotate your client credentials as well. Set an interval, say, every 6 months, or every major release (depending on the security needs of your application, this may be longer or shorter) where you will request a new client secret and invalidate your old one. This will minimize the impact in the case that your client secret gets leaked.


Cover of Mastering OAuth 2.0


This is a good practice and one to take note for production systems.