Rotate OAuth Tokens


Support for OAuth 2.0 has only just been introduced and now a new feature has been added that makes it easy to rotate OAuth tokens.  An OAuth token is generated whenever someone creates a personal access token, or when a new application is registered for an integration in the ‘Applications’ section of the Settings console.

To rotate the OAuth token of an application, an administrator can select the application in the ‘Applications’ section of the Settings console.

Existing application with one oauth token

With the application in View mode, the administrator is able to press the Add Token button.  This causes a second OAuth token to be added.  At this point, the administrator can copy the client ID and client secret of the new token.  This is the only time the client secret will be visible, so it is important to copy it and to store it somewhere safe.

Application after second OAuth token has been added

Because an application (or personal access token) can have up to two OAuth tokens, the Add Token button is hidden after a second token has been added.

With the new token added, a developer can update the integration between the application and 4me with the client ID and client secret of the new token.  Once this update has been made, the old token can be disabled.  After confirming that the integration still works, the old token can be deleted.

Application with disabled OAuth token

This completes the rotation of an application’s OAuth token.  Specialists, designers and administrators can rotate the OAuth tokens of their personal access tokens in the same manner after clicking on their picture (or initials) in the toolbar, clicking on the ‘My Profile’ option in the User menu and opening the ‘Personal Access Tokens’ section.