Developers

API Secret Rotation

iProov recommends that you regularly rotate API service provider keys. This is a best practice required by rigorous penetration testing and certification organizations. The Open Web Application Security Project (OWASP) provides a series of guidelines and recommendations:

https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html

iProov enables you to easily and quickly rotate keys without service interruption. After you create a service provider, two secrets are provided and two Oauth passwords. This allows you to have two valid API secrets at any one time:

  • Rotate the second secret while the first is in use in production.

  • At the next appropriate point, deploy the second secret and rotate the first.

To rotate keys

Either the primary or secondary secret is live in production.

  1. Log into iPortal.
  2. Select the production service provider.
  3. lick Reset to reset the API Secret (or OAuth password) not currently in use:

  1. Save the generated secret and apply as part of a production release configuration change.
  2. Deploy to production and verify there is no loss of service.
  3. Rotate the unused secret.