Versions Compared

Old Version 31

changes.mady.by.user Vova Maystruk

Saved on

compared with

New Version 32

changes.mady.by.user Vova Maystruk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

warning the page is not not public yet

...

Who is it for?

This guide is intended for technical contacts at WMDA member organisations who manage API integrations and credentials. In this guide, we refer to these contacts as Credential Managers - the designated technical users responsible for managing API credentials.

Quick summary

  • What credential managers can do?
  • What WMDA does vs what members do
  • Why secret rotation matters

1. Manage API Credentials

You can manage client secrets API credentials using the Manage API Credentials page, where you can view, create, and delete client secrets.

...

  1. Visit the Manage API Credentials page https://portal.wmda.info/manage-api-clientscredentials.
    1. You must login to the portal WMDA Portal using MFA (MFA user guide).
    2. You must have the appropriate user role (credential manager) credential manager role assigned by the WMDA team.

...

Who can be assigned the credential manager role?

  • Any user within your organisation who has access to the WMDA Portal can be assigned this role.

  • This user does not need access to any other WMDA Portal pages (e.g. Search & Match or Data Manager). They only need to be able to log in to the WMDA Portal using MFA (see MFA user guide).

warning Responsibilities:

  • Your organisation should designate one or more

...

  • credential managers responsible for managing

...

  • API credentials.

  • Only users with

...

  • the credential manager role assigned by the WMDA team can access the Manage API Credentials page.

  • WMDA cannot assign this role without confirmation from your organisation.

  • Before contacting WMDA support, please confirm internally who

...

  • in your team should be assigned this role.

...

  • If access is required, contact

...

As a credential manager, you can use the Manage API Credentials page to:

  • View the application registrations applications and their client ID IDs provided by the WMDA team.
  • Create new client secrets for these application registrationsapplications.
  • See expiration date for each client secret.
  • Delete client secrets that are no longer needed.

1.2 Create a Client Secret

  1. Visit the Manage API Credentials page https://portal.wmda.info/manage-clients and api-credentials and click on the "Create new secret" button and the pop-up will appear:

...

2. Provide client secret name and expiration date (1 year maximum) for this secret:


warning The maximum expiration date for a client secret is one year to comply with WMDA security policies.

Info

We advise including your name in the "client secret name" field (e.g., "Secret by John Doe") so the WMDA IT team can contact you if troubleshooting or follow-up is needed.

...

Warning

When you create a new secret, copy and store it securely. After you refresh or return to this page, the full secret will no longer be visible - only the first three characters (hint) will remain. If you don't copy the newly created secret, you lose it, and you'll need to generate a new secret.

exclamation mark WMDA will never be able to retrieve a lost client secret.


Once a new client secret is in use, the old one should be removed to prevent unnecessary expiration reminders and confusion.

...

Client secret that is about to expire (in less than one month) is marked with an icon warning  next to the expiration date on the Manage API Credentials page:

2. About API Credentials

...

Recommended Rotation Workflow

  1. Create new client secret.
  2. Update it in your system.
  3. Confirm connectivity.
  4. Delete old client secret.

This recommended workflow mirrors real-world operational practice and avoids outages.

warning Do Not

  • Do not create client secrets with a short expiration date unless required for specific testing purposes. We recommend using the maximum expiration of 1 year to minimise rotation work.

  • Do not share client secrets with anyone outside your organisation. Treat them as confidential credentials.

  • Do not use expired secrets - they will break API connections. Always create a new secret before the old one expires.

  • Do not delete secrets currently in use without first updating systems that rely on them. Deleting an active secret will immediately stop API access.

2. About API Credentials

Info

To authenticate with WMDA APIs, a bearer token must be requested from the WMDA. For details on how client ID and client secret are used to retrieve bearer tokens and authenticate future requests to the WMDA API, see API authentication.


WMDA IT team creates applications for member organisations that implement WMDA APIs. To securely connect to these applications, the IT team provides API credentials, which consist of:

  • Client ID - a permanent identifier for the application.
  • Client secret - a confidential credential used to authenticate API requests, which must be rotated periodically.

exclamation mark  API credentials are used exclusively for machine-to-machine authentication and are not intended for user login.

Client ID

  • Created by the WMDA and shared with your organisation.
  • Identifies your application registration connection to the WMDA APIs.
  • Permanent - it does not expire and cannot be changed.

...

Warning

Client ID stays the same permanently. It does not expire and does not need to be replaced.

Client secret expires after a set period.

When the client secret expires, API connections will stop working until a new secret is created and updated in your systems.

To avoid interruptions, always rotate the secret before it expires. See 4. Email Notifications About Expiring Client Secrets below


3.

...

Applications on the Manage API Credentials Page

The Manage API Credentials page lists the application registrations created by the WMDA IT team for your organisation. Each application registration represents access to one or more APIs.

exclamation mark These applications are created and managed by the WMDA IT team; member organisations cannot create or modify them.

Examples of application registrations applications you may see on the Manage API Credentials page:

...

Depending on the API permissions assigned to your application registration, it may have access to the following WMDA resources: 

...

Info

PartnerAlternative is a "dummy" application registration for implementers to test their Match-Connect API integration internally. It works only in the Match-Connect sandbox and is provided upon request.

Each application registration has its own client ID and client secret. Visibility depends on your user role and the API permissions assigned to your application registration by the WMDA team.

4. Email Notifications About Expiring Client Secrets

The designated contact(s) (credential manager) for credential managers for your organisation will automatically receive email notifications from WMDA when a client secret is approaching expiration.

...

  • 6 weeks before client secret expiration.
  • 3 weeks before client secret expiration.
  • 1 week before client secret expiration - daily reminders until the secret is replaced.

...

  • .