Implementing Credential Rotations as an Add-on Partner
Last updated 13 July 2020
Table of Contents
Add-on Partners can rotate the credentials associated with an add-on instance at will via the legacy V1 or current V3 Partner Integration APIs.
Some partners have implemented customer-spawned credential rotation features via their SSO add-on dashboard. Other partners rotate credentials automatically in the background at regular intervals - for instance, every 90 days.
Determine which Partner Integration API Version your Add-on Service Uses
You can find the API version your add-on is using in the Partner Portal under “Settings” -> “Provisioning API”.
V1 Add-on Partner API integrations
You can use the legacy App Info API to update config vars for your add-on instances.
V3 Add-on Partner API integrations
You can use the Platform API for Partners to update config vars. These endpoints may be available to some allowed partners operating under V1 - if you’re using the platform API elsewhere, you should prefer this method over the legacy App Info API.
Both methods will cause a new release (and subsequent dyno restart) on:
- The app that owns the add-on instance and
- All apps that are attached to the add-on instance.
This is normally transparent to Heroku customers.
You should ensure the old credentials work while the release and dyno restart process completes, otherwise your customers may submit requests to your service with invalid keys. You should wait an hour or two before removing the old credentials, as dynos in private spaces can take longer to restart than those in the common runtime.