Security best practices

Please take care of these security best practices

Use client-credential flow at server side only

Client-credential oAuth2 flow is designed for server side only. There is no user authentication involved in the process (server to server). Thus, make attention to the security of your application back-end because authorization and credentials will rely on it.

Don't call APIs with client credential flow at client-side but at server side only. The authorization must be obtained by a server or BFF (back-for-front) and so only that server should call the API (avoiding exposing your credentials and access tokens at client side).

Store your secret in a designed secret management solution

Store secrets in a designated secrets management solution. For example, you can use a solution offered by your (cloud) infrastructure provider, such as AWS Secrets Manager, Google Secrets Manager, or Azure KeyVault. Another option is a dedicated secrets management system, such as Hashicorp Vault, Keeper, Confidant, Conjur.

Don't store secrets (and client id) in clear in the code. Best solution is to use a designed secret management solution. Alternatively, you can store it as encrypted field in your database.

Reset your secret periodically and in case of security compromise

It is a best practice to renew periodically your secrets and most of all when your security could have been compromise.

You can reset you secret on the developer portal (see page API key)

PreviousHow to subscribe, use Webhooks NextHow to contact us?

Last updated 8 months ago

Was this helpful?