Skip to main content
In the event that your app’s client secret has been compromised, you should immediately rotate it. Smile makes it possible for your app to rotate it’s client secret with zero downtime.

Step 1: Generate a new client secret

Generating a new client secret will allow you to start using it for authentication in the OAuth flow.
  1. In the Partner Portal, go to Apps.
  2. Click on the name of the app you want to rotate the client secret for.
  3. Navigate to the API access page for your app.
  4. In the Credentials card, click Generate new client secret.
  5. Read the information presented and click Generate.
You should now see two fields: Client secret (old) and Client secret (new).

Step 2: Use the new client secret for OAuth

After generating the new secret, both the old and new client secrets can be used to acquire access tokens. Update your app to use the new client secret.

Step 3: Use the new client secret to verify webhooks

Webhooks are always signed with the primary client secret. Once the old secret is revoked, the new secret will automatically be promoted to primary status. Configure your application to accept webhooks signed with either the old or the new client secret.

Step 4: Revoke the old client secret

Click Revoke next to the old client secret. This will remove it and promote the new secret to be your primary client secret. Any access tokens that were generated using the old revoked client secret will still be valid until they expire.

Step 5: Stop verifying webhooks with the old client secret

You can now cleanup your code base to stop verifying webhooks with the old client secret.