PingOne

Rotating an API gateway credential

For security reasons, you should rotate an API gateway’s credential on a regular basis.

About this task

If the credential might have been compromised, change it immediately.

An API gateway credential is a safeguard against requests from an unauthorized API gateway integration kit. After you create a credential and copy it to your Ping Identity integration kit, the credential is included in authorization requests made from the API Gateway to the HTTP Access Policy service. If the credential is absent or no longer valid, the HTTP Access Policy service automatically rejects the client API request.

You can use the PingOne Authorize console to create a new credential for an existing API gateway. This enables you to retrieve the credential without having to make an API call. After you create a new credential in PingOne Authorize, you must update all API gateway integration kits that use the credential. Retain the previous credential to give API gateway owners time to make updates without causing errors for users.

Steps

  1. In PingOne, go to Authorization → API Gateways.

  2. Click the API gateway with the credential that you want to rotate to open its details panel.

  3. On the details panel, click the icon next to Credentials, copy the credential and save it somewhere convenient, and then click Done.

    Screen capture of a successful credential creation, with the Copy to clipboard button highlighted

    The HTTP Access Policy service will accept both the old and new credentials. To prevent downtime, do not revoke the active gateway credential until after you update the integration kits.

  4. Update each integration kit with the newly created gateway credential.

    Learn more about configuring your specific integration kit in API Gateway integrations.

  5. In the details panel of your API gateway, click the Delete icon next to the old gateway credential, and then click Revoke.

    Screen capture of the Revoke Credential window being displayed