We’re making an important change to how Azure DevOps displays OAuth client secrets to align with industry best practices and improve our overall security posture. Starting September, newly generated client secrets will be shown only once at the time of creation. After that, they will no longer be retrievable via the UI or API.

This update helps reduce the risk of accidental exposure and encourages secure storage practices, such as saving secrets in Azure Key Vault or other secure vaults. These changes will go into effect for all apps by September 2, 2025.

We will also be retiring the Get Registration Secret API, which previously allowed retrieval of existing secrets. This API will be deprecated and removed to prevent misuse and reinforce the principle that secrets should be treated as sensitive credentials—not retrievable artifacts.

If you are using the Get Registration Secret API in any flow, please take the time to remove it from your secret rotation flow this month before the change takes effect.

If you lose access to a secret, you’ll need to rotate it using the new secret rotation APIs, which supports overlapping secrets to avoid downtime. For more details on secure secret handling and rotation, refer to the Azure DevOps OAuth documentation.

These changes are part of our broader Secure First Initiative and reflect our commitment to protecting identities and secrets across the Azure DevOps ecosystem. If you have questions or need help updating your workflows, reach out to the Azure DevOps Identity team.