Hi @Community Alums,

In OAuth, the client secret is used as a way to authenticate the identity of the client application to the authorization server. It serves as a secure way to authenticate the client to the server, ensuring that only authorized clients can access protected resources.

In ServiceNow, requiring a client secret when creating a new OAuth application registry helps ensure the security of the OAuth flow and the protected resources within the ServiceNow instance. It adds an additional layer of security by verifying the identity of the client application before granting access to resources.

You can make it unmandated based on your requirement in Servicenow. However, it's generally recommended to keep the client secret mandatory to ensure the security of your Oauth Implementation. It's highly recommended to consult your security team or Oauth experts if you wish to make it non-mandatory.

Also you may not necessarily need to update client secret every 12th month but it's generally a good security practice to periodically review & update security credentials in your organisation including client secrets.

Please mark it to Accepted if this helped you. 

Thanks & Regards, 
Madhan Somesh.