> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta_ClientSecret

> A secret used by applications to authenticate to the Okta API

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Overview

Client secrets are used by API service integrations and OIDC applications to authenticate with Okta and obtain access tokens.

<img src="https://mintcdn.com/specterops/vLZ2lUIRm_HibFmq/images/extensions/okta/app-client-secret-creation.png?fit=max&auto=format&n=vLZ2lUIRm_HibFmq&q=85&s=766cdd8df3c6fd228325afd9cb186834" alt="Okta client secret creation" width="1071" height="526" data-path="images/extensions/okta/app-client-secret-creation.png" />

An application can have up to two client secrets configured, to allow for secret rotation.

<img src="https://mintcdn.com/specterops/vLZ2lUIRm_HibFmq/images/extensions/okta/app-client-secret-rotation.png?fit=max&auto=format&n=vLZ2lUIRm_HibFmq&q=85&s=8a651bd8027148bb6322ac0c7439e9e1" alt="Okta client secret rotation" width="1068" height="435" data-path="images/extensions/okta/app-client-secret-rotation.png" />

Client secrets are represented as Okta\_ClientSecret nodes in BloodHound.

<Info>
  For security reasons, the OpenHound and OktaHound collectors do not collect client secrets, only their hashed identifiers.
</Info>

## Edges

<Note>
  The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.
</Note>

### Inbound Edges

| Edge Type                                                                        | Source Node Types                                                                                                                                                                            | Traversable |
| -------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [Okta\_ReadClientSecret](/opengraph/extensions/okta/edges/okta_readclientsecret) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅           |

### Outbound Edges

| Edge Type                                                        | Destination Node Types                                                                                                                                             | Traversable |
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- |
| [Okta\_SecretOf](/opengraph/extensions/okta/edges/okta_secretof) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application), [Okta\_ApiServiceIntegration](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) | ✅           |

## Properties

| Name          | Source                      | Type       | Description                                              |
| ------------- | --------------------------- | ---------- | -------------------------------------------------------- |
| `id`          | `secret.id`                 | `string`   | Unique client secret identifier.                         |
| `name`        | `secret.secretHash`         | `string`   | Hash of the secret value used as name/display label.     |
| `displayName` | `secret.secretHash`         | `string`   | Display label used in BloodHound.                        |
| `oktaDomain`  | Collector context (non-API) | `string`   | Okta organization domain where the client secret exists. |
| `status`      | `secret.status`             | `string`   | Current lifecycle status of the secret.                  |
| `created`     | `secret.created`            | `datetime` | Secret creation timestamp.                               |
| `lastUpdated` | `secret.lastUpdated`        | `datetime` | Last update timestamp for the secret metadata.           |

## Sample Property Values

```yaml theme={null}
id: ocsxqwizfyqsf0aVG697
name: T1e6fl4jGqvPkgd94NKx5g
displayName: T1e6fl4jGqvPkgd94NKx5g
oktaDomain: contoso.okta.com
status: ACTIVE
created: 2025-11-24T12:24:08.000Z
lastUpdated: 2025-11-24T12:24:08.000Z
```

<Info>
  For security reasons, the OktaHound collector does not write cleartext client secrets
  to the OpenGraph JSON, only their hashed identifiers.
</Info>