The API Secret Management section of the Dashboard permits a user with the Super Admin role to generate and manage the confidential, organisational Client Secret used to authenticate B2B API integrations (for example, when obtaining OAuth access tokens).
Each organisation can maintain a single active, organisational Client Secret at any given time. Generating a new Secret rotates any previous Secret and prevents its future use.
Access to API Client Secret management is strictly controlled. Only users with the Super Admin role for an organisation are permitted to:
View the API Secret tab in the Dashboard; and
Generate or replace the organisation’s API Client Secret
Users with Admin, or any other Dashboard roles cannot view, access, or generate API Client Secrets. This safeguard ensures that sensitive credentials are managed only by users with the highest level of organisational authority.
Secret status information, such as whether a Client Secret has been generated, and the timestamp of last generation is held within the audit trail of the generators’ dashboard profile.
Used to create or rotate the API client secret for the current organisation.
To create a new API Client Secret or replace an existing one, follow the steps detailed below:
- In the left-hand navigation panel, select API Access.
- In the Client Secret section, click Generate Client Secret.
When a Super Admin selects Generate Client Secret, the platform automatically performs the following actions:
- Securely generates a cryptographically strong random Secret.
- Encrypts and stores the Client Secret against the organisation’s client record.
- Invalidates any previously active Client Secret for the organisation.
- Records a “Client Secret Generation” event in the audit log.
- Once generated, a one-time Secret modal will appear.
- The Client Secret (plain text) will be displayed, only once at this point.
⚠️ Important: Copy and securely store the Client Secret now. It will not be visible again.