Hi all,

This question is on behalf of one of our API Connect users (I am an IBMer), and I am interested in actual experiences from the field. Thanks in advance!

One of our API Connect users want to introduce a mandatory app credentials rotation policy for some of their API consumers. Of course they could periodically overwrite the existing client id and secret, and communicate those to the developers, but that comes with all kinds of security and timing concerns.

Has anyone implemented a mechanism for alerting API consumers periodically about updating the credentials for their apps, with (preferably) a mandatory time window? Their idea is that consumers are required e.g. every three months to rotate the credentials for their existing apps (possibly with some overlap to prevent disruptions for API calls). Possibly they could send out notifications periodically, and check (querying via the consumer API, or using a developer portal custom module) when the credentials were last updated.

I realize this is probably not a very common use case, but are they unique in their thinking, or has anyone else implemented this as well?

Thanks!

------------------------------
Johan Thole
IT Specialist
IBM Technology Nederland BV
Netherlands
------------------------------

Hi Johan,

Thank you for posing the query. Actually, we are searching for the similar technique for periodically informing API consumers that the app's credentials need to be updated. In reality, the customer must comply with it.
Has anyone else implemented this ? Please let us know ..

Appreciate your help 



------------------------------
Hemanth Chinnadandluru
IBM Integration Engineer
------------------------------

Original Message:
Sent: Tue December 13, 2022 08:55 AM
From: Johan Thole
Subject: How to enforce app credentials rotation policy for API consumers?

Hi all,

This question is on behalf of one of our API Connect users (I am an IBMer), and I am interested in actual experiences from the field. Thanks in advance!

One of our API Connect users want to introduce a mandatory app credentials rotation policy for some of their API consumers. Of course they could periodically overwrite the existing client id and secret, and communicate those to the developers, but that comes with all kinds of security and timing concerns.

Has anyone implemented a mechanism for alerting API consumers periodically about updating the credentials for their apps, with (preferably) a mandatory time window? Their idea is that consumers are required e.g. every three months to rotate the credentials for their existing apps (possibly with some overlap to prevent disruptions for API calls). Possibly they could send out notifications periodically, and check (querying via the consumer API, or using a developer portal custom module) when the credentials were last updated.

I realize this is probably not a very common use case, but are they unique in their thinking, or has anyone else implemented this as well?

Thanks!

------------------------------
Johan Thole
IT Specialist
IBM Technology Nederland BV
Netherlands
------------------------------