API Secret Rotation
iProov recommends that you regularly rotate API service provider keys. This is a best practice required by rigorous penetration testing and certification organizations. The Open Web Application Security Project (OWASP) provides a series of guidelines and recommendations:
https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
iProov enables you to easily and quickly rotate keys without service interruption. After you create a service provider, two secrets are provided and two Oauth passwords. This allows you to have two valid API secrets at any one time:
-
Rotate the second secret while the first is in use in production.
-
At the next appropriate point, deploy the second secret and rotate the first.
To rotate keys
Either the primary or secondary secret is live in production.
- Log into iPortal.
- Select the production service provider.
- lick Reset to reset the API Secret (or OAuth password) not currently in use:

- Save the generated secret and apply as part of a production release configuration change.
- Deploy to production and verify there is no loss of service.
- Rotate the unused secret.