Storing API credentials
When you are set up in the ReadyRemit platform, the ReadyRemit Integrations Team will provide you with API credentials that must be securely stored in your system. This document describes best practices for secure storage of API credentials.
1. Retrieve API credentials
During your onboarding, the ReadyRemit Integrations Team will provide you with API credentials that can be used to retrieve an Access Token from the ReadyRemit API. The API credentials you are provided consist of two (2) different pieces of information: Client ID and Client Secret. These credentials will be shared with you via a secure email to your engineering team.
Different environments
Client ID and Client Secret will be different between the Sandbox and the Production environments. Sandbox credentials will be provided at the beginning of the integration process and production credentials will be stored after certification.
2. Store API credentials
API credentials are highly sensitive data points and should be treated the same way a password or private encryption key are treated.
- API credentials should never be hardcoded into an application or included in any source control repository.
- API credentials should never be shared in plain text over unsecured channels like Slack.
- Access to API credentials for Production environments should be restricted only to those individuals for whom access to production credentials are critical for the operation of your platform.
Secrets Management Tools
We recommend the use of a secrets management tool or service such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to provide secure storage and access to your Client ID and Client Secret.
Updated 4 months ago