guideAPI secret

# API secret overview

The API secret is used for authentication in the most critical parts of the system where access should be limited. For example, the API secret is used in REST APIs and webhooks mechanisms.

For security reasons, the API secret should be kept in a safe place. We also suggest rotating the API secrets older than 3 months.

# API secrets management

It is possible to create up to 3 API secrets, by using the “API secrets” tab in the CKEditor Ecosystem customer dashboard. It allows for an easier API secret rotation. The “API secrets” tab also provides information such as the creation and last usage dates of a given API secret.

The old API secret from the “API configuration” tab stays valid. In case you will need to deactivate it, please regenerate the key by using the deprecated instruction.

List of API secrets in the API secrets tab.

# Create a new API secret

To generate a new API secret click the “Create a new API secret” visible on the “API secrets” tab.

The API secret’s value will be shown only once. Copy the newly created API secret and save it in a safe place.
It will not be possible to display the full value of this API secret again.

Value of newly added API secret.

# Set API secret to be used to sign webhooks requests

The first API secret created in the “API secrets” tab will be automatically set for signing webhooks requests.

To change which API secret should be used for that, click the radio button of the given API secret in the “Use with webhooks” column.

The change must be confirmed or canceled.

Use API secrets to sign webhooks confirmation modal.

At any moment it’s possible to delete any API secret which is not currently set for signing webhooks requests.
If there’s a need to delete the API secret set for use with webhooks, another API secret should be set for signing webhooks requests first.

# Remove API secret

To remove the API secret click the “Trash” icon in the “Actions” column next to the API secret you want to remove.
This operation cannot be undone, so it requires confirmation by writing the “remove” phrase in a confirmation modal and clicking the “Confirm” button.

API secret remove confirmation modal.

# API secret management (DEPRECATED)

The API secret is available for every environment in the CKEditor Ecosystem customer dashboard for SaaS or in the Management Panel for On-Premises. To find it, please follow the steps below:

  1. From the list of environments select one that you want to manage:

Select the environment that you want to manage.

  1. Go to the “API configuration” tab and click the “Refresh” button in the “API secret” section:

The API configuration section with the “Refresh” button in the API secret section.
Read the message and click the “Refresh” button to create a new API secret:

The API secret refresh prompt.

  1. Copy the newly generated API secret and save it in a safe place. It will not be possible to display this API secret again.

The API configuration section with the newly created API secret displayed.

If by any chance your API secret is made public, it should be changed immediately by using the “Refresh” button shown in the image above.