API key rotation

Last updated: October 28, 2024

iProov recommends that you regularly rotate API service provider keys. This is a best practice required by rigorous penetration testing and certification organizations. The Open Web Application Security Project (OWASP) provides a series of guidelines and recommendations:

https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html

iProov enables you to easily and quickly rotate keys without service interruption. After you create a service provider, two secrets are provided and two Oauth passwords. This allows you to have two valid API secrets at any one time:

  • Rotate the second secret while the first is in use in production.

  • At the next appropriate point, deploy the second secret and rotate the first.

To rotate keys:

Either the primary or secondary secret is live in production.

  1. Log into iPortal.

  2. Select the production service provider.

  3. Click Reset to reset the API Secret (or OAuth password) not currently in use:

  4. Save the generated secret and apply as part of a production release configuration change.

  5. Deploy to production and verify there is no loss of service.

  6. Rotate the unused secret.

Recommendation

iProov recommends following this process at least every 6 months or when key personnel (who may have had access to the secret) leave the business.

Next step

Advanced implementation features