Confusion about Private keys vs Client secrets

Hi. I created a GitHub App (not OAuth) and want to use it as an automatic issue report bot. I have read the docs about getting the access token using Private keys.

Everything works fine until I read the article Refreshing user-to-server access tokens, which uses Client secrets.

Now I am confused about the terms Private keys and Client secrets.

  1. Which of these is more “sensitive” (aka which one has more power)?

  2. What are the usages of both?

  3. Right now, I do token refreshes by regenerating the jwt token and post a request to /app/installations/:installation_id/access_tokens.

    1. Is this a good idea?
    2. What is the difference between Renewing a user token with a refresh token and Authenticating as an installation? The former one uses Client secrets while the latter uses Private keys.
    3. Which one shall I use (aka. what is the best practice for getting a new valid access token)?