Rotate client secret

How to rotate your OAuth2.0 machine-to-machine client secret?

In order to keep your account safe, we recommend that you rotate your OAuth2.0 machine-to-machine client secret regularly.

Prerequisites

  • You created an OAuth2.0 machine-to-machine client for your account as described in Authentication.

Impact

The client secret is necessary for your OAuth2.0 machine-to-machine client to request an access token which, in turn, is used to access the TradeAware API.

Rotating the client secret will immediately (more precisely: up to a 30 second delay) invalidate your existing client secret. Thereby, any attempts to request a new access token with the previous client secret will fail.

Only the new client secret will enable a successful request for a new access token.

That means, expect some downtime between the time of secret rotation and your application being updated with the new secret and any necessary redeployments. For more information, see Downtime.

How to

Before we dive into the step-by-step guide, please be aware of the following:

Depending on your application's hosting provider, you may need to redeploy the application for any changed environment variables and environment secrets to come into effect. This depends on your hosting provider, so please consult their documentation before continuing with the following steps.

Step-by-step

  • Log in to the TradeAware Web App and navigate to the Developer Tools. Alternatively to using the URL directly, you may do the following: After login, click the profile icon in the bottom left corner, then choose "Manage Account". Then, click "Developer Tools".

  • On the Developer Tools page, click the heading of the "Danger Zone" section to display further options.

  • Under the section "Rotate Secret", click the red button "Rotate".

  • A dialog opens for you to confirm the secret rotation. Follow the instructions in the dialog and confirm the dialog with "Rotate". WARNING: THIS ACTION IS IMMEDIATE AND CANNOT BE REVERTED.

  • Next, the dialog will close and bring you back to the Developer Tools. In the field "Client Secret", copy your new client secret,

  • Update your application to use the new client secret.

Downtime

We currently do not support client secret rotation with zero downtime.

You may be able to achieve zero downtime coincidentally by timing the secret rotation right after your OAuth2.0 machine-to-machine client requested a new access token. However, this is difficult to time.

Programmatically rotating client secrets

We currently do not support this feature. If you are interested in this functionality, please contact support.

PreviousAuthenticationNextEndpoints enabled for programmatic access

Last updated