Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> Hello, In Client Credentials flow, does the client secret have any kind of default expiry? I have trying to find documentation on that but no luck.

Based on the provided extracts, there is no specific mention of a default expiry for the client secret in the Client Credentials flow. The extracts discuss the expiry of various tokens such as access tokens, refresh tokens, and authorization codes, but not the client secret.   However, it's important to note that in the Client Credentials flow, the client is authenticated using its client ID and client secret, and if the credentials are verified, the authorization server returns an access token to the application. This access token does have a default expiry, which is one hour in Ory, but can be configured as needed.  For more detailed information, you may want to refer to the official Ory documentation or reach out to their support.  Sources: - [OAuth2 Concepts](<https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts>) - [Configure Token Expiration Time](<https://www.ory.sh/docs/hydra/guides/client-token-expiration>)