diff --git a/Gemfile b/Gemfile
index f2cdb76b8..0caed60fc 100644
--- a/Gemfile
+++ b/Gemfile
@@ -23,7 +23,7 @@ gem "rubocop-rspec", require: false
 gem "bcrypt", "~> 3.1", require: false
 
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
-gem "sqlite3", "~> 2.0", platform: %i[ruby mswin mingw x64_mingw]
+gem "sqlite3", "~> 1.4", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 
 gem "tzinfo-data", platforms: %i[mingw mswin x64_mingw]
 gem "timecop"
diff --git a/lib/doorkeeper/orm/active_record/mixins/application.rb b/lib/doorkeeper/orm/active_record/mixins/application.rb
index 45916955d..6f442ee89 100644
--- a/lib/doorkeeper/orm/active_record/mixins/application.rb
+++ b/lib/doorkeeper/orm/active_record/mixins/application.rb
@@ -20,11 +20,13 @@ module Application
                dependent: :delete_all,
                class_name: Doorkeeper.config.access_token_class.to_s
 
-      validates :name, :secret, :uid, presence: true
+      validates :name, :uid, presence: true
+      validates :secret, presence: true, if: ->(application) { application.confidential? }
       validates :uid, uniqueness: { case_sensitive: true }
-      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
       validates :confidential, inclusion: { in: [true, false] }
 
+      validates_with Doorkeeper::RedirectUriValidator, attributes: [:redirect_uri]
+
       validate :scopes_match_configured, if: :enforce_scopes?
 
       before_validation :generate_uid, :generate_secret, on: :create
@@ -118,7 +120,7 @@ def generate_uid
       end
 
       def generate_secret
-        return if secret.present?
+        return if !confidential? || secret.present?
 
         renew_secret
       end
diff --git a/lib/generators/doorkeeper/templates/migration.rb.erb b/lib/generators/doorkeeper/templates/migration.rb.erb
index bf1798b23..b2aedd8bb 100644
--- a/lib/generators/doorkeeper/templates/migration.rb.erb
+++ b/lib/generators/doorkeeper/templates/migration.rb.erb
@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
     create_table :oauth_applications do |t|
       t.string  :name,    null: false
       t.string  :uid,     null: false
+      # Remove `null: false` if you are planning to use public clients or use conditional constraint
       t.string  :secret,  null: false
 
       # Remove `null: false` if you are planning to use grant flows
diff --git a/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb b/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
index 3220b983e..94e361e21 100644
--- a/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
+++ b/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
@@ -5,7 +5,7 @@ def change
     create_table :oauth_applications do |t|
       t.string  :name,    null: false
       t.string  :uid,     null: false
-      t.string  :secret,  null: false
+      t.string  :secret
 
       # Remove `null: false` if you are planning to use grant flows
       # that doesn't require redirect URI to be used during authorization
diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb
index 64160d50b..7ed67be14 100644
--- a/spec/dummy/db/schema.rb
+++ b/spec/dummy/db/schema.rb
@@ -50,7 +50,7 @@
   create_table "oauth_applications", force: :cascade do |t|
     t.string "name", null: false
     t.string "uid", null: false
-    t.string "secret", null: false
+    t.string "secret"
     t.text "redirect_uri"
     t.string "scopes", default: "", null: false
     t.datetime "created_at", null: false