Protect against compromised credentials
- Use a key management system (KMS) or secrets manager for production secrets. When you create or rotate a production client secret, store it only in a system designed for secrets (encryption at rest, access control, audit). Avoid leaving copies in local files or shared drives.
- Limit who can create, read, or rotate keys. Define ownership, use least privilege, and review access periodically.
- Do not share secrets in email, chat, or support tickets. Use approved secret-handling channels only.
- Do not commit secrets to source control. Public repositories are actively scanned; private repos still leak through clones and tooling. Use environment variables or your CI/CD secret store, never literals in code.
- Do not embed client secrets or long-lived tokens in client-side apps. Mobile binaries and front-end JavaScript can be reverse-engineered; anything shipped to the device should be treated as public.
- Monitor API usage. Review logs for unusual patterns and ensure Sandbox credentials are not used against Production endpoints (and vice versa).
- Train your team and document your process. Keep internal runbooks current for onboarding, incident response, and rotation.
- Rotate credentials on a schedule and after suspected exposure. Rotating client secrets and invalidating old values limits blast radius if a secret was leaked without your knowledge.