You can only read an OAuth2 client’s secret at creation or when you explicitly set/replace it. It is not retrievable later. - On create: The admin API and CLI return the secret in the response/output. Save it then, as it won’t be shown again (Create: “The secret is echoed in the response. It is not possible to retrieve it later on.”) ([createOAuth2Client](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)). CLI examples show capturing client_id and client_secret from the create output ([hydra create oauth2-client](https://www.ory.sh/docs/hydra/cli/hydra-create-oauth2-client#hydra-create-oauth2-client)). - On update (replace): Use Set Client (PUT /admin/clients/{id}) and include client_secret in the payload to change it. If you pass client_secret, the new secret is used and echoed once in the response; otherwise the existing secret stays, and no secret is returned (“If you pass client_secret the secret is used, otherwise the existing secret is used. If set, the secret is echoed in the response. It is not possible to retrieve it later on.”) ([setOAuth2Client](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json)). The hydra update oauth2-client command replaces the entire client; include all desired fields and use --secret to set a new secret if needed ([hydra update oauth2-client](https://www.ory.sh/docs/hydra/cli/hydra-update-oauth2-client#hydra-update-oauth2-client), [Options](https://www.ory.sh/docs/hydra/cli/hydra-update-oauth2-client#options)). If you didn’t capture the secret at create time and don’t want to change the client, there’s no way to “read” it. You must rotate it by setting a new secret via update and then save the returned value.