Skip to main content

Credential Rotation

For security, it is important to rotate your access credentials on a regular basis using the OAuth Applications tool. In the event that your credentials are compromised, credential rotation helps prevent unauthorized access to your data. It also helps you stay compliant with various laws, frameworks, and guidelines, such as SOX, SOC2, and PCI DSS.

Pre-deployment

For each Connect environment that you need access to, Instacart creates an OAuth application scoped to that environment and the required engines (for example, connect:fulfillment and connect:recommendations). Using end-to-end encrypted file transfer, Instacart then provides you with the application's access credentials.

For each set of credentials you receive, complete the following steps:

  1. Securely store them using a secret management system.
  2. Add them to the appropriate configuration files in your application.
  3. Test whether they can be used to get tokens that have the expected scope and whether they successfully provide your application access to the resources it needs.
  4. Deploy your application with the new credentials.

Rotation cycle

Instacart recommends rotating OAuth credentials every six months. You should also rotate them whenever an event occurs that might compromise their security, such as when a team member who had access to them leaves your organization. To determine the recommended rotation date, look at Renew by date in the OAuth Applications tool.

note

If you have multiple applications that rely on different OAuth applications, Instacart recommends rotating all of their credentials in the same cycle, regardless of when they were issued.

When you’re ready to perform the rotation, go to OAuth Applications and find the ones whose credentials need replacing. For each of these applications, complete the following steps:

  1. Select Clone.
  2. Give the new application a name (it can be the same or you can choose a different one), and click Clone.
note

Make sure you save the client secret. After you close the modal, you won’t be able to view it again.

  1. Securely store the new credentials.
  2. Identify the configuration files in your application that contain the old credentials and replace them with the new credentials.
  3. Test whether you can successfully get tokens that have the expected scope and whether they provide your application the access to the resources it needs.

Once you’re satisfied with the test results and you’ve deployed the new credentials, disable and delete all the OAuth applications which are no longer being used. For each of these, complete the following steps:

  1. Click Disable.
  2. Wait at least 48 hours after disabling the application, then click Delete. If the application status is Delete Failed, wait another 48 hours to ensure that all issued tokens have expired and then try again. If deletion is still unsuccessful, contact your Instacart representative.
Last updated on