At PayPal, we take security seriously. Since the client-secret in the API world is akin to your password in the web world, it is a well-known security best practice to regularly change the client-secret that your application uses. Regularly scheduled changes to the client-secret keeps the attackers at bay and ensures that your app is less vulnerable to being compromised.
To simplify the credential rotation process, we have now enabled this capability as a self-service feature on the developer portal. We hope that this feature will provide greater flexibility to our developers in rotating credentials per their own schedule.
Lifecycle of a client-secret at PayPal
A client-secret can have the following three statuses:
- The client-secret can be used to authenticate your application for API integration
- The client-secret cannot be used to authenticate your application for API integration
- The client-secret can however be moved to “Enabled” status and made functional again
- The client-secret is no longer available for use. A client-secret once deleted cannot be Enabled or recovered back
NOTE: There can only be a maximum of two client-secrets. These client-secrets can be in either “Enabled” or “Disabled” status.
Process of Rotating a client-secret
Rotating your client-secret is an easy process and can be performed in a completely self-service fashion on the Developer Portal. The steps are detailed below and are applicable to both your Live and Sandbox client-secret rotation.
1) Generate a new client-secret in addition to your existing “Enabled” one.
2) Update your applications to utilize the new client-secret. 3) Validate your application’s functionality. 4) Disable the old client-secret.
5) Validate that your applications continue to work after disabling the old client-secret and with the new client-secret.
6) If there are any issues, re-enable the “Disabled” client-secret.
7) If validation is successful, delete the old client-secret.
Recommended Best Practices for client-secret rotation
- Rotate client-secrets when your credential custodians change.
- Define, describe, document and agree on a standard process and steps for client-secret rotation.
- Thoroughly validate that your application is working fine before deleting an older client-secret.
- You can always disable a “client-secret” immediately if you suspect that your credentials have been compromised. It is to be noted however, that your application will stop working until you integrate with a new client-secret in “Enabled” status.
- Delete “Disabled” credentials regularly after validating your application with the new client-secret.
In conclusion, regularly updating the client-secret associated with your applications is a security best practice. We recommend that developers utilize the self-service client-secret rotation feature on the developer portal on a regular schedule for maximum application security. We also recommend that developers define, describe, document, and agree on a standard process around client-secret rotation across your team. A well-defined process will ensure that rotating an application’s client-secret is never a pain and that there are no missed steps during application validation with the newly generated client-secret.
- New REST API Feature: Setting a Receiver for Payments
- PayPal is Now Available Through WooCommerce 2.6 Onboarding Wizard
- Adaptive Payments is Moving to Limited Release – What you Need to Know
- Building the Next Step in Payment Tutorials with Stack Overflow Docs
Connect with us!
- January 2017
- December 2016
- October 2016
- September 2016
- July 2016
- May 2016
- March 2016
- November 2015
- September 2015
- August 2015
- June 2015
- April 2015
- March 2015
- November 2014
- October 2014
- August 2014
- July 2014
- March 2014
- February 2014
- January 2014
- December 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013