@mortal @jgayfer A client that cannot securely store its secret is titled public. For example CLI and mobile apps are usually public ones. For instance, secret of a Google cloud CLI is a publicly known string.

There are methods that allow public clients to mitigate some risks related to the fact that their secret is public. For example DPoP allows one to bind access and refresh tokens to a specific private key that could be stored on a specific device (bind user authorization to the device).