--- url: 'https://www.corbado.com/glossary/confidential-public-applications' title: 'Confidential and Public Applications' description: 'Explore the differences between confidential and public client applications in terms of security, capabilities, and use cases in authentication protocols.' lang: 'en' keywords: 'confidential and public applications' --- # Confidential and Public Applications ## What are Confidential and Public Applications? **Confidential and Public Applications** refer to two classifications of client applications in [OAuth 2.0](https://www.corbado.com/glossary/oauth2), distinguished by their ability to securely handle credentials like client secrets. Confidential applications can securely store credentials and are typically server-side applications, while public applications cannot securely store credentials and are often client-side apps, such as mobile or desktop applications. > - **Confidential applications** can secure credentials and perform robust authentication. > - **Public applications** are unable to secure credentials and require different security > measures. > - Both types use [OAuth 2.0](https://www.corbado.com/glossary/oauth2) for authentication but differ in their > security capabilities. --- ### Characteristics of Confidential Applications - **Secured Environment:** Runs on servers where direct access by users or attackers is restricted. - **Capability to Secure Secrets:** Able to safely store client secrets used for authentication. - **Best Practices:** Includes using managed identities, secure storage, and regular rotation of client secrets. ### Characteristics of Public Applications - **Run on Client Devices:** Such as desktops, mobile devices, or within browsers where access to source code can occur. - **Inability to Secure Secrets:** Cannot safely store client secrets due to the risk of exposure. - **Authentication Flow:** Uses [OAuth 2.0](https://www.corbado.com/glossary/oauth2) flows that do not require client secrets for authentication. ### Security Measures and Best Practices - **For Confidential Applications:** Utilize secure channels for transmitting secrets, use encryption for stored data, and implement strict access controls. - **For Public Applications:** Employ strong client-side security measures such as PKCE (Proof Key for Code Exchange) to enhance the security of OAuth flows. --- ## FAQs about Confidential and Public Applications ### What defines a confidential application in OAuth 2.0? A confidential application is one that can secure client credentials (like client IDs and secrets) and use these for authenticating with authorization servers. ### Why can’t public applications hold credentials securely? Public applications run in environments like personal devices or browsers where the secure storage of credentials is not feasible, making them susceptible to attacks such as reverse engineering. ### How do public and confidential applications handle token authentication differently? Confidential applications can use secrets to authenticate and obtain tokens, while public applications typically use alternative methods like PKCE to secure their token exchanges without needing a client secret. ### Are there specific OAuth 2.0 flows designed for public applications? Yes, public applications often use the Authorization Code flow with PKCE, which enhances security for apps unable to hold secrets.