As mentioned a moment ago, the client secret functions as the property password when making API calls. Because of that, it’s important to keep your client secrets secret: secrets should never be shared with anyone, including Janrain. If you are experiencing problems with a property, the support ticket you file should include the client ID. But that’s all the information Janrain needs. Your support tickets should not include the client secret.
But what happens if a client secret does leak out, or what happens if someone who had access to the secret leaves your company? In that case, Application Admins and Application Configuration Admins can use the Console to reset the client secret (i.e., generate a new password). To reset a client secret, complete the following procedure:
- From the Manage Properties page, click the property whose client secret needs to be reset.
- On the Edit page, click Reset Secret:
- In the How long would you like the current secret to remain active? dialog box, in the Hours to Expire field, enter an integer value between 0 and 168, inclusive:
The value entered here specifies how long you want the current client secret to remain usable. During the designated time period (e.g., 8 hours), your property will have two valid secrets: the old client secret, and the new client secret you are about to generate. That means that applications can make API calls using either the old secret or the new secret; it doesn’t matter. Keeping the old secret active for a little while is useful if you have deployed applications or utilities that use the old secret; this provides a “grace period” that gives you a chance to update those applications or utilities to the new secret. If this isn’t a concern, then set the Hours to Expire field to 0. That way, the old secret expires immediately, and only the new secret can be used to make API calls.
- In the Are you sure you want to reset this secret? dialog box, click Yes:
- In the Secret successfully reset dialog box, click Close: