The secondary key should be used for easy refreshing and continuous service.
For example, if you have a service that connects to the Clarizen API you can add both tokens to your code. The primary token will be used until you decide to revoke it. When you revoke it you don't want your service to stop working so you can set it to automatically work with the secondary token until you generate a new primary token. This will ensure your service will not fail to connect to the Clarizen API.
I hope this helps,