Skip to main content

OAuth credential rotation

For each of your applications that access the Connect APIs, Instacart creates a new OAuth application and provides you with a unique set of OAuth credentials. Your applications use these credentials, which consist of an OAuth client ID string and a client secret string, to generate access tokens for making API requests.

Rotating credentials for security

Your OAuth client ID and client secret are like a username and password. Together they allow you to access powerful Instacart capabilities and sensitive business and user data. Keeping these credentials secure is critical. One way Instacart helps to prevent unauthorized access to your data is by rotating your OAuth credentials.

Credential rotation is a security practice in which Instacart provides you with new OAuth client IDs and client secrets on a regular basis. The old credentials are then deactivated.

Replacing credentials regularly helps to limit the negative impact of credentials which may have been compromised. It can also help you meet various compliance requirements, such as for SOX, SOC2, and PCI DSS.

Rotation cycle

Instacart will set up a rotation cycle for replacing your OAuth credentials every six months. If you have multiple applications with different sets of credentials, we recommend replacing all of them at the same time, regardless of when they were issued. If you prefer not to rotate all of your credentials within the same cycle, coordinate with the Instacart Enterprise Technical Support team to establish an alternate method.

note

Whether or not you intend to rotate multiple credentials at the same time, Instacart flags all of your active credentials as being due for rotation at each six month interval. If you have any questions, contact your Instacart representative.

Rotation process example

Your Instacart representative will discuss credential rotation when you onboard to the Connect platform. The following is an example of the typical process for replacing your credentials every six months:

  1. Approximately five weeks prior to your credential rotation due date, the Instacart support team creates an Enterprise Service Desk ticket that includes the following information:

    • The OAuth client IDs of your credentials to be replaced
    • The due date for implementing the new credentials
    • A link to download the new credentials using end-to-end encrypted file transfer
    • A link to the credential rotation documentation

    When the ticket is created, you will receive an email notification.

  2. After you review the ticket and download the new credentials, you can begin reconfiguring your applications to use the new credentials.

    • Although the Instacart support team is ready to assist, you are responsible for reconfiguring your applications to use the new credentials.
    • Your old credentials remain valid while you are reconfiguring applications to use the new credentials.
  3. After the new credentials are in place, verify that each of your applications can procure OAuth access tokens for the appropriate permission and scope.

  4. After you have verified that your applications are working properly with the new credentials, update the service ticket to inform the Instacart support team.

  5. The Instacart support team will monitor your applications’ activity for 24 to 48 hours. After confirming that there are no requests using the old credentials, they deactivate the old credentials.

  6. If there are no outstanding issues, the support team closes the service ticket.