This guide aims to walk you through managing environment access secrets via the UI. To follow, please log into your account at https://id.spreedly.com. Alternatively, you may create and manage access secrets via the API.
Access secrets are considered private and secure. Do not share them or expose them to insecure channels - even in e-mails to the Spreedly team.
There are two types of access secrets:
- Organization Access Secret (All Environments)
- Single Environment Access Secret (Single Environment Only)
A single environment access secret can be used to authenticate API calls for a single environment, while an organization access secret can authenticate API calls within any environment.
Spreedly recommends using separate environments in combination with Single Environment Access Secrets to isolate production connections and data from non-production connections and data. If you use separate environments with Organization Access Secrets, there is a risk as production and non-production environments are accessible via a common API access secret. Test and QA environments should not share credentials with production-level environments.
An access secret, in combination with an environment key, grants full access to the Spreedly API. If you or another user within your organization share the access secret insecurely, we advise that you revoke the secret as soon as possible, and generate a new one.
- View your access secrets
- Add a new access secret
- Revoke an access secret
- Share your access secrets
- Creating and retrieving access secrets via API
View your access secrets
To view your access secrets, log into your account and navigate to the blue bar on the top of the page and click on the Organization tab for Organization Access Secrets or Environments Tab for Single Environment Access Secrets. Note that the image below is edited - when you visit your account page, no information is hidden:
Add a new access secret
Navigate to the bottom of your list of API Access Secrets, below there is a blue button "Add Access Secret" to allow the creation of a new access secret:
Access secrets are randomly generated codes, but you can choose your name. Unique names can help you keep track of which access secrets you are using for your different environments or applications.
Revoke an access secret
You may revoke an access secret at any time by clicking the "Delete" button:
Deleting an access secret is permanent and cannot be undone by you, or by Spreedly.
Do not delete an access secret unless you are sure you wish to do so. If the production code uses the old access secret, you would need to replace it with a new access secret, or else you will not be able to accept payments.
Share your access secrets
Access secrets should never be shared over insecure, unencrypted channels. The safest way to share access secrets with individuals you trust is to add them as a user to your Spreedly account. As a user, they will be able to view all of your access secrets, manage them, and create their own.
For individuals (ie. third-party vendors, customers using your platform, etc.), you only want to grant access to a single environment within your Spreedly Organization you will need to provide them with the single access secret for that environment only. You do not want to add them as a user to your Spreedly Account because this would give them access to all of your account information and access secrets.
Creating and retrieving access secrets via API
You may also create environment access secrets via the API as well as retrieve any access secrets already connected with an environment. Please refer to the API documentation for more details.
Questions? We are happy to help!
For non-Spreedly customers, fill out our contact us form by clicking here. For active Spreedly customers, reach out to your Customer Success Manager or email firstname.lastname@example.org