Today we have added the ability for Cronofy API applications to have multiple, active client secrets.
You can manage your client secrets in the Credentials section of your application, within the Cronofy developer dashboard.
This gives people the ability to rotate secrets as they wish without any interruption or our involvement.
Your current secrets will remain valid indefinitely so you do not need to change anything.
Push notification authenticity alteration
The only externally visible change to the API relates to the
Cronofy-HMAC-SHA256 header provided with every notification request sent by Cronofy to verify its authenticity. When multiple secrets are active, a HMAC value will be provided for each of them.
If you are verifying your notifications via this header, you should alter your code to account for multiple values being provided before generating any new secrets.
Details and examples of verifying this header are available in our documentation, and our core SDKs will soon be updated to add or extend helpers for this process.
If you have any questions, or need any help, please get in touch via the Support Widget or via email to firstname.lastname@example.org