是的，您是对的。这有点像密码。至于为什么使用它，这不是Cognito特定的属性，而是OAuth2标准的一部分。实际上，在运行于浏览器上的公共应用程序中使用应用程序秘密是没有意义的。通常，在开发公共应用程序时，不会使用客户端密码。如果这样做，则有责任安全地存储它。

Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.

来到Cognito，就像你说的那样，它的JS SDK不使用客户端密码（应该是）。但是，如果您使用AWS CLI或boto3，则可以使用客户端密钥。在这种情况下，如果您的应用程序客户端具有机密，则应该使用此机密和其他一些参数（用户名+ clientid 我认为）来计算哈希，并将其作为参数传递。

Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.

但是就安全性而言，它并没有真正的作用。

But in terms of security, it does not really make a difference.