The client_secret is to be assigned by the Authorization server, and therefore, a client cannot simply update it. If you attempt to update this value via the /register endpoint, you will get a 400 Bad Request error.
While a client can’t update the client_secret, it certainly can be updated via REST using an account with appropriate privileges. The admin console (XUI) uses REST to talk to the AM server. So using your browser tools you can do an update of a client and see the call and parameters the XUI is using and follow that pattern. But you didn’t hear that from me. :)