As this API requires you to use access tokens, there are some security best practices you should implement as part of your integration.
Client Id And Client Secret
The client Id and client secret are in effect very similar to a username and password for a website. Due to this, we should ensure we take the same precautions when storing this information.
We recommend you take the following into consideration:
- Client Ids and Secrets are encrypted before being persisted in a database
- Client Ids and Secrets should not be shared among different users
- Client Ids and Secrets should not be exposed publicly
Access tokens
Once generated, access tokens are a gateway into acting on behalf of a host on the Plum Guide platform. They give you temporary access to manipulate listings and gather information from the host.
Due to this, we recommend you take the following into consideration:
- Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens can be compromised.
- Access tokens should not be exposed publicly
- Access tokens should not be shared among different users
Unable to retrieve lost client secrets
Once a ClientId and Secrets are created, due to encryption on our side, we are unable to decrypt and retrieve a secret in plain text. If the secret is lost, the only possibility is to reset and generate a new one, which would automatically override the previous one. The new secret will then have to be added to every future authorization request.