WP OAuth Server allows public clients to be utilized while utilizing the Authorization Code Grant Type. A public client is a client that is created for software or mobile apps that do not have the ability to store a secret security.
We highly advise against using plain public clients with WP OAuth Server as there is always a way to make something more secure. With the need for public clients using OAuth 2.0 and WordPress, we still provide full support for public clients.
Please advise that if you do us public clients, consider using PKCE which is also fully supported by WP OAuth Server. Learn more about Proof Key of Code Exchange.
Create a Public Client
After creating a client normally, you can simply delete the client secret in the client editor and click “Update Client”. This will remove the secret and tell WP OAuth Server that the client is a public client and a secret is not required to authorize requests.