App Secret expiry

Owned by Troels Nielsen
Last updated: Feb 11, 2015
1 min read

Gracefully expire an App Secret in order to migrate to a new one

The App Secret is the key to secure authentication with the dialogportal™ REST API (see Authenticating requests). By default the App Secret never expires, and can be used indefinitely. However, in certain situations it can be desirable to expire an old App Secret and begin to use a new one. This may be done as a mechanism for forcing users to upgrade to a new version of an app - the old version uses the expired App Secret and is no longer authorized to access the REST API, so informs users that it is time to upgrade to the new version, which uses the new App Secret. Alternatively it could be a security measure, if an attacker has managed to find the old App Secret and begun making unauthorized API requests.

To expire an App Secret, please contact your Fluid liaison. The old App Secret will be expired and a new App Secret provided.

The App Secret can either be expired immediately, or at some time in the future. When the expiry date is in the future, any REST API request will receive an extra response header AppSecretExpires, containing the expiry date in UTC format, e.g. AppSecretExpires: 2020-04-01T05:00:00Z. The requesting app may use this date to warn users of a need to upgrade etc.

When the App Secret expiry date has passed, REST API requests will fail with HttpStatusCode 401, including an extra response header ApiStatusSubCode: 401.10.