Implementing Credential Rotations as an Add-on Partner
Last updated 20 June 2018
Table of Contents
Add-on Partners can rotate the credentials associated with an add-on instance at will via the legacy V1 or current V3 Partner Integration APIs.
Some partners have implemented customer-spawned credential rotation features via their SSO add-on dashboard. Other partners rotate credentials automatically in the background at regular intervals - for instance, every 90 days.
Determine which Partner Integration API Version your Add-on Service Uses
You can find the API version your add-on is using in the Partner Portal under “Settings” -> “Provisioning API”.
V1 Add-on Partner API integrations
You can use the legacy App Info API to update config vars for your add-on instances.
V3 Add-on Partner API integrations
You can use the Platform API for Partners to update config vars. These endpoints may be available to some whitelisted partners operating under V1 - if you’re using the platform API elsewhere, you should prefer this method over the legacy App Info API.
Both methods will cause a new release on:
- The app that owns the add-on instance and
- All apps that are attached to the add-on instance.
This is normally transparent to Heroku customers.