Skip to content
>
Mode: standard

Regenerate Integration Secret

Dashboard · Security

Rotate the client secret on a compromised or lost integration.

If you've lost or leaked an integration's client secret, regenerate it from the dashboard. This is the only way to invalidate the old secret — there is no API equivalent. Plan the rotation first; once you click reset every active session on this integration stops working instantly.

This invalidates every active session immediately

Regenerating the secret revokes the previous one the instant the reset completes — there is no overlap window. Any system using the old secret will fail authentication until you redeploy with the new value. Coordinate deployment of the new secret across every consumer before you rotate.

Before you rotate

A short checklist
  • Identify every service that signs requests with this integration's secret.
  • Stage the new secret in your secret store (Vault, AWS Secrets Manager, env vars, etc.) so a redeploy can flip atomically.
  • Pause any scheduled jobs that depend on this integration if you cannot tolerate a brief 401 spike during cut-over.
  • Have the verification code for webhooks ready to redeploy at the same time.

Regenerate the secret

Four-step dashboard procedure
Step 1Navigate to Integrations
From the CoinPayments dashboard, open the Integrations tab in the side navigation.
Dashboard side navigation with the Integrations tab highlighted
Step 2Select the integration
Open the integration whose client secret you want to rotate. Double-check the name — regenerating affects only this integration.
Integrations list with the target integration highlighted
Step 3Reset the client secret
Click the regenerate / reset action on the integration detail page. The action is irreversible — the previous secret is immediately revoked.
Integration detail page with the reset client secret button highlighted
Step 4Copy and save the new secret
The new client secret is shown only once at this screen. Copy it into your secret store now — once you navigate away, it cannot be retrieved again and you'll have to regenerate a second time.
New client secret displayed with a copy button highlighted

What gets invalidated

The blast radius of a rotation
  • In-flight API requests

    Any request signed with the old secret will be rejected with 401 the moment the new secret is issued.

  • Webhook signature verification

    Inbound webhooks are still delivered, but your verification code must switch to the new secret — otherwise every callback will fail HMAC comparison. See Authenticating Requests.

Secret shown only once

The new client secret is displayed on the confirmation screen and never shown again. Copy it into your secret store immediately — if you lose it you'll have to regenerate a second time, which means another full rotation cycle.

Secret Security

Never paste a client secret into source control, client-side code, or a shared chat thread — treat it with the same care as a database password.