<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Rotate the Client Secret for the Okta Workflows OAuth Application
Oct 22, 2025
Workflows
Okta Classic Engine
Okta Identity Engine
Overview
This article will cover how to rotate the client secret for the Okta Workflows OAuth application.
Applies To
  • Okta workflows
  • Client secret rotation
Solution

Recommendations

  • Test this in Preview org prior to rotating the secret in the Production org.
  • Although these steps can be followed simply to reauthorize the existing Workflows connection to Okta, it is recommended to create a new Okta connection, naming it something to differentiate from the old connection, and authorizing this new connection with the new client secret (step 3).
NOTE: If switching to a new connection, the old connection will continue to work until the token attempts to refresh itself, at which point it will stop.


Retrieve the Workflows OAauth App ID

  • Navigate to the Okta Workflows Oauth app (Admin > Applications > Applications > Okta Workflows OAuth app)
  • Copy the Application ID from the URL - should be something similar to 0oamrxasy9z0lTgw486
    • Replace the applicationId throughout this article with this value.
 

Steps to rotate the Client Secret for the Workflows OAuth app

Once the app ID was found and copied, please follow the steps below:
NOTE: Replace the URL value in the steps below with the URL for the desired domain (for example, https://example.oktapreview.com).
  1. Open Postman to run the commands below (or any application used to run API calls for the Okta tenant).
  2. Run this POST command:  
    {{url}}/api/v1/apps/{{applicationId}}/credentials/secrets
    • This will create an additional secret in the application secrets.
    • Copy the secret generated.
  3. Create a NEW Okta connection in Workflows with the Service Account with Super Admin permissions (or appropriate RBAC permissions) using the client ID from the Workflows OAuth application and the secret that was just generated.
    • Rotate all of the Okta connections for all of the workflows to use the new Okta connection (click the usage button to the right of the connection to see the workflows using this connection).
    • If re-authenticating the existing Okta connection, skip this step.
  4. Run this GET command: 
    {{url}}/api/v1/apps/{{applicationId}}/credentials/secrets
    • This will retrieve all of the secrets for the Workflows OAuth app in the environment.
  5. Compare the secret from the OAuth app to the secret in the response to determine which secret to deactivate, and copy the ID.
  6. Run this POST command using the secret ID of the old secret: 
    {{url}}/api/v1/apps/{{applicationId}}/credentials/secrets/{{secretId}}/lifecycle/deactivate
  7. Finally, run this DELETE command using the secret ID of the old secret: 
    {{url}}/api/v1/apps/{{applicationId}}/credentials/secrets/{{secretId}}
  8. If a NEW connection is used, navigate to the Workflows connections and delete the old Okta connection.

Related References

Recommended content

Still looking for help?
Loading
How to Rotate the Client Secret for the Okta Workflows OAuth Application