Shared Client Secret Across Widgets Causes Global Breakage on Regeneration
under review
Uppili Srinivasan
Currently, when JWT is enabled for widgets, all widgets under the same project share a single client secret. Regenerating this client secret for any one widget invalidates authentication for all other widgets in the project, leading to unintended production outages.
This behavior creates operational risk, as accidental or required key regeneration by one team or widget impacts all dependent widgets.
It would be great to have a separate client secret for each widget.
Log In
Mohamed Shakheen
marked this post as
under review
Mohamed Shakheen
Hi Innovative Cod @Uppili
Thank you for bringing this to our attention.
We understand the operational risk associated with having a single shared client secret across all JWT-enabled widgets within the same project. As you rightly pointed out, regenerating the secret for one widget currently invalidates authentication for all other widgets under that project, which can lead to unintended production disruptions.
We acknowledge that this model introduces cross-team dependency and increases the blast radius of what should ideally be an isolated action. Having a dedicated client secret per widget would provide stronger isolation, reduce outage risk, and improve operational control.
We will evaluate this internally with our engineering and security teams, including:
- Architectural impact of supporting per-widget client secrets
- Backward compatibility considerations
- Migration strategy for existing projects
- Security and token validation implications
Once the assessment is complete, we will share an update on feasibility.
Mohamed Shakheen
Merged in a post:
Shared Client Secret Across Widgets Causes Global Breakage on Regeneration
Nikil Srinivasan
Currently, when JWT is enabled for widgets, all widgets under the same project share a single client secret. Regenerating this client secret for any one widget invalidates authentication for all other widgets in the project, leading to unintended production outages.
This behavior creates operational risk, as accidental or required key regeneration by one team or widget impacts all dependent widgets.
This tech debt should track the need to:
Re-evaluate the shared client secret design for widgets
Consider widget-level or scoped secrets, or safer rotation mechanisms
Uppili Srinivasan
Created on behalf of Innovative Cod