A public client is an OAuth or OIDC client that cannot securely keep long-term client credentials confidential. It matters because many apps run in environments where embedded secrets are easy to extract or misuse.
What is Public Client?
Examples include browser-based apps, mobile applications, and some desktop clients. Because these clients cannot reliably protect a client secret, they use flows and protections such as PKCE instead of relying on confidential static credentials.
What Public Client Commonly Supports
Common use cases include single-page applications, mobile sign-in, desktop apps, and user-facing clients running on uncontrolled endpoints.
Public Client vs. Confidential Client
A public client cannot safely keep a secret. A confidential client is expected to protect credentials in a more controlled server-side environment.
Frequently Asked Questions
Why is public-client classification important?
Because the wrong trust assumptions can lead to unsafe flow choices and weak client protection.
Can a public client still be secure?
Yes, but it needs the right flow design and protections such as PKCE and careful token handling.
Related Cybersecurity Terms
