Get your free and exclusive +30-page Authentication Analytics Whitepaper
Back to Overview

Confidential vs. Public Applications - Understanding Client Types

Explore the differences between confidential and public client applications in terms of security, capabilities, and use cases in authentication protocols.

Vincent Delitz
Vincent Delitz

Created: May 17, 2024

Updated: March 25, 2026

Confidential and Public Applications refer to classifications of client applications in OAuth 2.0, distinguished by their ability to securely handle credentials like e.g. client secrets.

What are Confidential and Public Applications?#

Confidential and Public Applications refer to two classifications of client applications in OAuth 2.0, distinguished by their ability to securely handle credentials like client secrets. Confidential applications can securely store credentials and are typically server-side applications, while public applications cannot securely store credentials and are often client-side apps, such as mobile or desktop applications.

  • Confidential applications can secure credentials and perform robust authentication.
  • Public applications are unable to secure credentials and require different security measures.
  • Both types use OAuth 2.0 for authentication but differ in their security capabilities.

Characteristics of Confidential Applications#
  • Secured Environment: Runs on servers where direct access by users or attackers is restricted.
  • Capability to Secure Secrets: Able to safely store client secrets used for authentication.
  • Best Practices: Includes using managed identities, secure storage, and regular rotation of client secrets.

Characteristics of Public Applications#
  • Run on Client Devices: Such as desktops, mobile devices, or within browsers where access to source code can occur.
  • Inability to Secure Secrets: Cannot safely store client secrets due to the risk of exposure.
  • Authentication Flow: Uses OAuth 2.0 flows that do not require client secrets for authentication.

Security Measures and Best Practices#
  • For Confidential Applications: Utilize secure channels for transmitting secrets, use encryption for stored data, and implement strict access controls.
  • For Public Applications: Employ strong client-side security measures such as PKCE (Proof Key for Code Exchange) to enhance the security of OAuth flows.

FAQs about Confidential and Public Applications#

What defines a confidential application in OAuth 2.0?#

A confidential application is one that can secure client credentials (like client IDs and secrets) and use these for authenticating with authorization servers.

Why can’t public applications hold credentials securely?#

Public applications run in environments like personal devices or browsers where the secure storage of credentials is not feasible, making them susceptible to attacks such as reverse engineering.

How do public and confidential applications handle token authentication differently?#

Confidential applications can use secrets to authenticate and obtain tokens, while public applications typically use alternative methods like PKCE to secure their token exchanges without needing a client secret.

Are there specific OAuth 2.0 flows designed for public applications?#

Yes, public applications often use the Authorization Code flow with PKCE, which enhances security for apps unable to hold secrets.

See how Corbado fits your passkey rollout and existing authentication stack.

Explore the Console

Share this article

LinkedInTwitterFacebook

Table of Contents

Related Terms

Related Articles

invisible mfa

How invisible MFA with Passkeys solves the MFA Problem

Vincent Delitz - January 18, 2024

psd2 passkeys

PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

Vincent Delitz - February 7, 2023

passkeys cheat sheet

Passkeys Cheat Sheet for Developers

Lukas R. - March 6, 2024