If the <<_access-type, access type>> of the client is set to *confidential*, the credentials of the client must be configured under the *Credentials* tab.
This choice is the default setting. The secret is automatically generated for you and the clicking *Regenerate Secret* recreates the secret if necessary.
When choosing this credential type you will have to also generate a private key and certificate for the client in the tab `Keys`. The private key will be used to sign the JWT, while the certificate is used by the server to verify the signature.
Importing a certificate is unnecessary if you click *Use JWKS URL*. In this case, you can provide the URL where the public key is published in https://self-issued.info/docs/draft-ietf-jose-json-web-key.html[JWK] format. With this option, if the key is ever changed, {project_name} reimports the key.
If you are using a client secured by {project_name} adapter, you can configure the JWKS URL in this format, assuming that https://myhost.com/myapp is the root URL of your client application:
[source,bash,subs=+attributes]
----
https://myhost.com/myapp/k_jwks
----
See link:{developerguide_link}[{developerguide_name}] for more details.
WARNING: {project_name} caches public keys of OIDC clients. If the private key of your client is compromised, update your keys and clear the key cache. See <<_clear-cache, Clearing the cache>> section for more details.