search

Rotate client secret

hashtag
Rotate client secret

hashtag
How to rotate your OAuth2.0 machine-to-machine client secret?

In order to keep your account safe, we recommend that you rotate your OAuth2.0 machine-to-machine client secret regularly.

hashtag
Impact

The client secret is necessary for your OAuth2.0 machine-to-machine client to request an access token which, in turn, is used to access the SurfaceScout API.

Rotating the client secret will immediately (more precisely: up to a 30 second delay) invalidate your existing client secret. Thereby, any attempts to request a new access token with the previous client secret will fail.

Only the new client secret will enable a successful request for a new access token.

That means, expect some downtime between the time of secret rotation and your application being updated with the new secret and any necessary redeployments. For more information, see Downtime.

hashtag
How to

Before we dive into the step-by-step guide, please be aware of the following:

Depending on your application's hosting provider, you may need to redeploy the application for any changed environment variables and environment secrets to come into effect. This depends on your hosting provider, so please consult their documentation before continuing with the following steps.

Step-by-step

  • Log in to the SurfaceScout Web App and navigate to the configuration panel.

  • Under the section "Rotate Secret", click the button "Rotate".

  • A dialog opens for you to confirm the secret rotation. Follow the instructions in the dialog and confirm the dialog with "Rotate". WARNING: THIS ACTION IS IMMEDIATE AND CANNOT BE REVERTED.

  • Next, the dialog will close and bring you back to the Developer Tools. In the field "Client Secret", copy your new client secret,

  • Update your application to use the new client secret.

hashtag
Downtime

We currently do not support client secret rotation with zero downtime.

You may be able to achieve zero downtime coincidentally by timing the secret rotation right after your OAuth2.0 machine-to-machine client requested a new access token. However, this is difficult to time.

hashtag
Programmatically rotating client secrets

We currently do not support this feature. If you are interested in this functionality, please reach out to [email protected]

PreviousAuthentication & AccessNextGet insights export

Last updated