1. Knowledge Base
  2. SurePassID Authentication Server

SurePassID API Key Rotation Best Practices

How to properly replace or retire API keys within the SurePassID Authentication Server

  1. Generate a new API key within the SurePassID Portal
  2. Test the new API key with the desired applications
  3. Monitor the logs to confirm everything is working properly
  4. Verify the documentation to confirm that all applications have successfully transitioned from using the old keys to the new ones
  5. Once the above have been updated, you can then decide whether to remove the old key entirely or disable its functions as a precaution in case any apps were missed during the update process.

Note: When deleting a key from the portal, keep in mind that it will not be automatically removed from the apps that rely on it. It is crucial to proceed with caution when deciding to delete a key.

 

Disabling the functions in a key instead of deleting it has the advantage of being visible in the audit trail. This means that if an app is still trying to use the old key, you can quickly identify and address any issues. However, if an app attempts to use a key that no longer exists, it may not be logged in the audit trail because it is unclear where the audit entry should be recorded.

To enhance security when retiring keys, it is advisable to disable the functions in the old keys rather than deleting them until you confirm that all linked applications have switched to the new key. While there is no strict rule to delete the keys entirely, your organization's policies may require it.