fix: update relevant doc pages with improved instructions

[tamalchowdhury]

This PR improves 3 new doc changes. The following pages are updated with better content, instructions, and ai_summary:

• Kinde app keys
• Rotate client secret
• Common API key error page

Summary by CodeRabbit

• Documentation
  • Updated client secret rotation guide with improved workflow and new feature for maintaining previous secrets
  • Enhanced app keys documentation with simplified instructions and FAQs covering client secret rotation and security best practices
  • Revised API key troubleshooting guide with expanded error categories, updated solutions, and best practices for preventing future issues

[coderabbitai]

Walkthrough

Three documentation pages are updated to modernize guidance on API credentials: client secret rotation now emphasizes immediate deactivation and adds a paid "maintain previous secret" option; the app keys guide introduces credential definitions and FAQs covering rotation and secure storage; and the API key troubleshooting guide refreshes error categories, adds code examples for seven solution paths, and appends best-practice prevention guidance.

Changes

API Credentials Documentation

Layer / File(s)	Summary
Client secret rotation guide src/content/docs/build/applications/rotate-client-secret.mdx	Frontmatter is refreshed with updated title, keywords, and metadata. The rotation workflow emphasizes immediate deactivation, adds a paid-plan Maintain previous secret toggle with an upgrade sidebar, and includes a new subsection explaining how to delete the previous secret before rotating again.
App keys getting started guide src/content/docs/get-started/connect/getting-app-keys.mdx	Frontmatter is updated with sidebar label and table-of-contents configuration. Page metadata and intro are revised. A new "App key FAQs" section is added with explanations of client secret rotation workflows, why front-end apps use PKCE and lack a client secret, and secure storage practices using secrets managers and .gitignore exclusions.
API key troubleshooting guide src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx	Frontmatter adds table-of-contents and expands topics. Error introductions are refreshed. Six solution sections receive updated code examples: Invalid API key adds explicit Bearer-prefix validation, Token expired introduces token refresh patterns with expiry tracking, Malformed request shows header construction and URLSearchParams token exchange, Insufficient scope and Organization access denied include validation helper code, Rate limit exceeded introduces a RateLimiter class implementation, and Invalid scopes adds dashboard steps plus a list of standard scopes. A new "Prevent future API key errors" section appends best-practice guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Three pages of docs now shine so bright,
With secrets rotated and keys held tight,
FAQs and examples light the way,
Credentials and fixes—hooray, hooray! 🔑✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: update relevant doc pages with improved instructions' is vague and overly broad, referring generically to multiple doc pages without specifying the primary change or focus area.	Consider a more specific title that highlights the main change, such as 'docs: improve client secret rotation and API key documentation' or 'docs: enhance app keys and error troubleshooting guides'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tamal/update/trending-pages-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kinde-docs-preview with    Cloudflare Pages

Latest commit:	7086252
Status:	✅  Deploy successful!
Preview URL:	https://bbfcbf8b.kinde-docs-preview.pages.dev
Branch Preview URL:	https://tamal-update-trending-pages.kinde-docs-preview.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/build/applications/rotate-client-secret.mdx`:
- Line 37: The phrase "Kinde-side application" in the documentation line inside
rotate-client-secret.mdx is awkward and non-standard; replace it with clearer
wording such as "your application in Kinde", "the application configuration in
Kinde", or "the Kinde-hosted application" wherever "Kinde-side application"
appears (e.g., the sentence beginning "To ensure your applications remain
secure...") so the text reads naturally and consistently.

In
`@src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx`:
- Around line 125-136: The token endpoint examples use an incorrect
Authorization header and a single apiKey; update each example (notably the
function getValidToken(apiKey) and the other token-refresh snippets in the
"Token expired" section) to accept clientId and clientSecret parameters instead
of apiKey, remove the Authorization header, and include client_id and
client_secret as URL-encoded form fields in the POST body alongside
grant_type=client_credentials and scope; ensure the Content-Type remains
application/x-www-form-urlencoded and that the body concatenates client_id,
client_secret, grant_type, and scope for the /oauth2/token requests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 18a33706-f95f-4df1-8cf1-ee8e72e9e70e

📥 Commits

Reviewing files that changed from the base of the PR and between b750eb9 and 7086252.

📒 Files selected for processing (3)

• src/content/docs/build/applications/rotate-client-secret.mdx
• src/content/docs/get-started/connect/getting-app-keys.mdx
• src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Rephrase awkward terminology.

The term "Kinde-side application" is non-standard and awkward. Consider rephrasing for better clarity.

✍️ Suggested rephrase

-To ensure your applications remain secure, you can periodically rotate the client secret stored in the Kinde-side application.
+To ensure your applications remain secure, you can periodically rotate the client secret stored in Kinde for your application.

or alternatively:

-To ensure your applications remain secure, you can periodically rotate the client secret stored in the Kinde-side application.
+To ensure your applications remain secure, you can periodically rotate the client secret for your application in Kinde.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	To ensure your applications remain secure, you can periodically rotate the client secret stored in the Kinde-side application.
	To ensure your applications remain secure, you can periodically rotate the client secret stored in Kinde for your application.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/build/applications/rotate-client-secret.mdx` at line 37, The
phrase "Kinde-side application" in the documentation line inside
rotate-client-secret.mdx is awkward and non-standard; replace it with clearer
wording such as "your application in Kinde", "the application configuration in
Kinde", or "the Kinde-hosted application" wherever "Kinde-side application"
appears (e.g., the sentence beginning "To ensure your applications remain
secure...") so the text reads naturally and consistently.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether this doc pattern is unique or repeated elsewhere.
# Expected: find all oauth2/token examples using Bearer apiKey to align/fix consistently.

rg -n -C3 'oauth2/token|Authorization:\s*`Bearer\s*\$\{apiKey\}`|grant_type=client_credentials' --type=md --type=mdx

Repository: kinde-oss/documentation

Length of output: 95

---

🏁 Script executed:

# Read the target file to see the actual content
cat -n src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx | sed -n '120,160p'

Repository: kinde-oss/documentation

Length of output: 1506

---

🏁 Script executed:

# Search for oauth2/token patterns across markdown and MDX files without type constraints
rg -n -C3 'oauth2/token' --glob='*.md' --glob='*.mdx'

Repository: kinde-oss/documentation

Length of output: 41670

---

🏁 Script executed:

# Search for Bearer apiKey pattern specifically
rg -n 'Authorization.*Bearer.*apiKey' --glob='*.md' --glob='*.mdx' -C2

Repository: kinde-oss/documentation

Length of output: 2401

---

🏁 Script executed:

# Look for other token refresh or getValidToken examples
rg -n 'getValidToken|grant_type.*client_credentials' --glob='*.md' --glob='*.mdx' -C3

Repository: kinde-oss/documentation

Length of output: 24028

---

Token endpoint authentication method is incorrect across multiple examples.

Lines 125–136, 146–155, and 181–200 show Authorization: Bearer ${apiKey} for requests to /oauth2/token with grant_type=client_credentials. This pattern will fail and is inconsistent with Kinde's and OAuth 2.0 specifications.

The client credentials flow requires passing client_id and client_secret in the request body. Update all examples in this section to:

1. Accept clientId and clientSecret parameters instead of a single apiKey
2. Remove the Authorization header
3. Include client_id and client_secret as form data parameters in the body (alongside grant_type and scope)

This affects at least three code examples in the "Token expired" solution section.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/content/docs/manage-your-apis/troubleshoot-api-keys/common-api-key-errors.mdx`
around lines 125 - 136, The token endpoint examples use an incorrect
Authorization header and a single apiKey; update each example (notably the
function getValidToken(apiKey) and the other token-refresh snippets in the
"Token expired" section) to accept clientId and clientSecret parameters instead
of apiKey, remove the Authorization header, and include client_id and
client_secret as URL-encoded form fields in the POST body alongside
grant_type=client_credentials and scope; ensure the Content-Type remains
application/x-www-form-urlencoded and that the body concatenates client_id,
client_secret, grant_type, and scope for the /oauth2/token requests.