How do I generate and reveal a client secret?

  • Updated on Apr 13, 2026
  • Published on Aug 22, 2024
Prev Next

To obtain a short-lived OAuth2-compliant API access token you require a client secret.

You must create an application that pairs a client ID you provide with a client secret and token URL generated by LUSID. You can then use this information in conjunction with the username and password of a valid LUSID user to obtain an API access token and authorise calls to the LUSID API, either directly or via the SDK.

Using the LUSID web app

To create an application and generate a client secret:

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.

  2. From the left-hand menu, select Identity and access > Applications:

  3. On the Applications dashboard, click the Create application button:

  4. Specify a Client Id (no spaces) and a Display name, and click the Save button. LUSID automatically generates a client secret.

  5. On the Applications dashboard, click the   View icon to reveal the client secret and Okta's dedicated token URL for your LUSID domain:

    Note: Exporting credentials is useful when you want to call the LUSID API using the SDK.

Using the Identity API

You can use the Identity API to create an application and generate a client secret the second and subsequent times you want to do so.

Note: Because you need an API access token to call the Identity API (for which you need a client secret), you'll either need to use the LUSID web app the first time, or else pass in a personal access token instead (which doesn't require a client secret).

  1. Obtain an API access token, if possible.

  2. Call the CreateApplication API, passing in your access token, a client ID and friendly name that are unique within your domain, and a type of Native. For example: 

    curl -X POST "https://<your-domain>.lusid.com/identity/api/applications"
   -H "Authorization: Bearer <your-access-token>"
   -H "Content-Type: application/json"
   -d "{'clientId':'example-sdk-app','displayName':'Example SDK application','type':'Native'}"

    The response contains an automatically-generated client secret, and an issuer that is Okta's dedicated token URL for your LUSID domain: 

    {
    "id": "0oabw8p5aaGCl5zAA2p8",
    "type": "Native",
    "displayName": "Example SDK application",
    "secret": "k94QiqJMrPOJaoUB0MJecOu0blANeWHX4MdcqdYH",
    "clientId": "example-sdk-app",
    "issuer": "https://lusid-<your-domain>.okta.com/oauth2/aus91lnun55CZDvav6p7"
}

© 2025 FINBOURNE Technology