issues
issues copied to clipboard
Published
20 hours ago •
twitchdev
twitchdev
Extension Docs: Managing Extension Secrets
Brief description
The note is in the wrong place on https://dev.twitch.tv/docs/extensions/building/#managing-extension-secrets
Rotating Secrets
To keep your secrets from becoming useless, you must rotate them before they expire. To do so, create a new secret on the extension’s Settings page under Secret Keys. The table will update, showing when the previous key will expire and the new key will be active.
Because of the activation delay, you can have multiple secrets active for some (configurable) period of time. For signing, use the active secret with the latest expiration time.
Note: This option is for emergency situations where a secret has been compromised and breaking the extension is preferable to waiting for the secret to cycle.
For a higher level of security, you can rotate secrets programmatically on a scheduled basis. For more information, see the [Extensions Reference](https://dev.twitch.tv/docs/extensions/reference).
Revoking Secrets
At any time, if your secrets are compromised, you can use the Revoke All Secrets option on the extension’s Settings page under Secret Keys. View this as a kill switch: it immediately deletes all secrets associated with a specified extension.
Optionally, you can revoke all secrets by using the [Create Extension Secret](https://dev.twitch.tv/docs/api/reference#create-extension-secret) endpoint, which rotates any current secrets out of service.
Expected documentation
Rotating Secrets
To keep your secrets from becoming useless, you must rotate them before they expire. To do so, create a new secret on the extension’s Settings page under Secret Keys. The table will update, showing when the previous key will expire and the new key will be active.
Because of the activation delay, you can have multiple secrets active for some (configurable) period of time. For signing, use the active secret with the latest expiration time.
For a higher level of security, you can rotate secrets programmatically on a scheduled basis. For more information, see the [Extensions Reference](https://dev.twitch.tv/docs/extensions/reference).
Revoking Secrets
At any time, if your secrets are compromised, you can use the Revoke All Secrets option on the extension’s Settings page under Secret Keys. View this as a kill switch: it immediately deletes all secrets associated with a specified extension.
Optionally, you can revoke all secrets by using the [Create Extension Secret](https://dev.twitch.tv/docs/api/reference#create-extension-secret) endpoint, which rotates any current secrets out of service.
Note: This option is for emergency situations where a secret has been compromised and breaking the extension is preferable to waiting for the secret to cycle.
