Credential Rotation Policy for Person API and HR API
This policy applies to all applications using Consumer Key and Consumer Secret issued through the Developer Portal.
Policy Requirements
API consumers are required to:
- Rotate credentials (Consumer Key and Consumer Secret) every 6 months
- Update any applications or systems using the expired credentials
Why Credential Rotation Is Required
Credential rotation is a security best practice that helps reduce the impact of:
- Credential leaks
- Accidental credential exposure
- Long-lived compromised secrets
- Unauthorized API access
Regular credential rotation helps ensure applications remain secure and compliant with platform security standards.
What Happens If Credentials Are Older Than 6 months
Applications with credentials older than 6 months may be identified during automated weekly credential audits.
If expired credentials are detected:
- Team members may be contacted by the API team
- Consumers will be asked to rotate their credentials promptly
How to Rotate Credentials
Detailed instructions are available here:
Recommended Rotation Process
To minimize service interruptions:
- Generate new credentials before removing old credentials
- Deploy updated credentials to all environments
- Validate application functionality
- Remove unused credentials after successful deployment
Frequently Asked Questions
Does rotating credentials cause downtime?
Credential rotation should not cause downtime if applications are updated before old credentials are removed.
How often do I need to rotate credentials?
Every 6 months.
Will I receive reminders?
Applications with credentials issued more than 6 months before a weekly audit will be notified by the API Team.
Does this policy apply to all APIs?
No. This policy only applies to applications that are approved to use the Person API and HR API.
Support
If you need assistance rotating credentials or identifying affected applications, contact the DoIT Enterprise Integrations API Team: api@doit.wisc.edu.