{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Manage API credentials","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"manage-api-credentials","__idx":0},"children":["Manage API credentials"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["API credentials let your systems interact with Wallet-as-a-Service (Palisade) programmatically. Every credential authenticates with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0 client credentials"]}," (this is the only supported flow) and is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["scoped with a permission set"]}," that defines exactly what it can do. As an owner or administrator, you create, scope, and manage credentials to control what each integration can access."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"how-api-credentials-work","__idx":1},"children":["How API credentials work"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each API credential consists of a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client secret"]},". Your application exchanges these for a time-limited Bearer token (valid for 1 hour) that authenticates API requests."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Permission sets scope credentials and define exactly what the credential can do. Each permission has four components:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Component"},"children":["Component"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Type"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The resource category (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["balances"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["key"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["vault"]},")"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The operation (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["create"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["delete"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["read"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["update"]},")"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["How broadly the permission applies (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["org"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["vault"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["key"]},")"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Resource"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A specific vault or wallet (optional — leave blank for all resources in the scope)"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"create-api-credentials","__idx":2},"children":["Create API credentials"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API credentials"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create credentials"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["permission set type"]}," — this pre-populates a set of default permissions:"]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Permission set type"},"children":["Permission set type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"What it grants"},"children":["What it grants"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Wallets"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Manage wallets and vaults"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Transactions"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Manage transactions"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Controls"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Manage policies and addresses"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitoring"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Webhooks and auditing"]}]}]}]}]},{"$$mdtype":"Tag","name":"ol","attributes":{"start":4},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["name"]}," (5–50 characters). Choose a descriptive name that identifies the integration (for example, \"Production - Transaction Service\")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter an optional ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["description"]}," (5–50 characters)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Configure ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["IP addresses"]},":",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["All IP addresses"]}," (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["0.0.0.0/0"]},") — suitable for sandbox testing."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Limited IP addresses"]}," — enter up to 6 IPv4 addresses or CIDR ranges. Use this in production."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Review the default permissions. Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add another permission"]}," to add more, or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Remove"]}," to delete one."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Generate credentials"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client secret"]},"."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Store the client secret securely"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Palisade displays the client secret only once. Store it in a secrets manager or secure vault. If you lose it, you must delete the credential and create a new one."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scope-credentials-with-least-privilege","__idx":3},"children":["Scope credentials with least privilege"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Apply the principle of least privilege to every credential:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use the narrowest scope"]}," — if a credential only needs access to one vault, set the scope to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["vault"]}," and specify that vault as the resource. Avoid ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["org"]}," scope unless the credential genuinely needs organization-wide access."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Limit actions"]}," — grant only the actions the integration needs. A monitoring service needs ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["read"]}," only, not ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["create"]}," or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["delete"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["One credential per integration"]}," — create separate credentials for each service or application. This limits the blast radius if someone compromises a credential."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Scoping example"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A transaction monitoring service needs to read transactions across all vaults but must not create or modify anything. Create a credential with the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitoring"]}," permission set type, then remove any ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["create"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["update"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["delete"]}," permissions. Keep only ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["read"]}," actions."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-ip-whitelisting","__idx":4},"children":["Configure IP whitelisting"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["IP whitelisting restricts which network addresses can use a credential."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Sandbox"]}," — use ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["All IP addresses"]}," for convenience during development."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Production"]}," — always use ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Limited IP addresses"]}," with the specific IPs or CIDRs of your application servers."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can configure up to 6 IP entries per credential. Each entry can be a single IPv4 address or a CIDR range."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"disable-a-credential","__idx":5},"children":["Disable a credential"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Disabling a credential immediately prevents it from authenticating. Existing tokens issued by the credential continue to work until they expire (up to 1 hour)."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use disabling when:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You suspect credential compromise"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A team member who managed the integration leaves"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You need to temporarily pause an integration for maintenance"]}]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API credentials"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the credential."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Disable"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To re-enable, open the credential and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enable"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"delete-a-credential","__idx":6},"children":["Delete a credential"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Deleting permanently removes the credential. Any integration using it stops working immediately after existing tokens expire."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API credentials"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the credential."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delete"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Confirm the deletion."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"best-practices","__idx":7},"children":["Best practices"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Rotate credentials regularly"]}," — delete old credentials and create new ones on a defined schedule (for example, quarterly)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitor credential usage"]}," — use ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/configure-audit-logging"},"children":["audit logging"]}," to track which credentials are making API calls and when."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Require approval for new credentials"]}," — set up an approval group for API credentials to prevent unauthorized creation. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/configure-approval-flows"},"children":["Configure approval flows"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use IP whitelisting in production"]}," — never use \"All IP addresses\" in production environments."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Separate by environment"]}," — use different credentials for sandbox and production. Never share credentials across environments."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Document credential ownership"]}," — record which team or service owns each credential and who is responsible for rotating it."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related-guides","__idx":8},"children":["Related guides"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/api/api-credentials-best-practices"},"children":["API credentials best practices"]}," — Step-by-step reference with code examples"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/api/what-are-credentials-in-palisade"},"children":["What are credentials in Palisade"]}," — Conceptual overview"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/api/manage-api-credentials"},"children":["Manage API credentials"]}," — Reference documentation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/getting-started/getting-started-api"},"children":["Getting started with the API"]}," — End-to-end API walkthrough"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/configure-approval-flows"},"children":["Configure approval flows"]}," — Require approval for credential creation"]}]}]},"headings":[{"value":"Manage API credentials","id":"manage-api-credentials","depth":1},{"value":"How API credentials work","id":"how-api-credentials-work","depth":2},{"value":"Create API credentials","id":"create-api-credentials","depth":2},{"value":"Scope credentials with least privilege","id":"scope-credentials-with-least-privilege","depth":2},{"value":"Configure IP whitelisting","id":"configure-ip-whitelisting","depth":2},{"value":"Disable a credential","id":"disable-a-credential","depth":2},{"value":"Delete a credential","id":"delete-a-credential","depth":2},{"value":"Best practices","id":"best-practices","depth":2},{"value":"Related guides","id":"related-guides","depth":2}],"frontmatter":{"title":"Manage API credentials","seo":{"title":"Manage API credentials"}},"lastModified":"2026-05-26T12:21:11.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/admin-guide/manage-api-credentials","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}