# Generate and rotate API credentials

Use this guide to generate a client ID and secret for API access, rotate credentials when needed, and manage your organization's API credentials in the Payments Direct interface.

## Prerequisites

- You must have the **API Credentials: Can Edit** permission.
- Your organization can hold a maximum of 3 API credentials at a time.


## Generate a new API credential

1. In the left navigation, select **Settings**.
2. Select **Credentials**.
3. Select **New Credential**.
If your organization already has 3 credentials, the **New Credential** button is disabled. Delete an existing credential before creating a new one.
4. Enter a **Credential name** to identify the credential in the list.
5. Select **Save & Generate Key**.


A dialog appears showing the credential details:

| Field | Description |
|  --- | --- |
| **Audience** | The API audience value for your environment. |
| **Client ID** | The unique identifier for this credential. |
| **Secret** | The generated secret key. |


Save your secret now
The secret is displayed only once. After you close this dialog, it cannot be retrieved. Copy the secret and store it in a secure location before closing.

1. Copy the Client ID and secret, then select **Close**.


## Rotate an API credential

Rotate a credential to generate a new secret while keeping the same Client ID. Use this when a secret is compromised or as part of a regular credential rotation schedule.

1. In the left navigation, select **Settings**.
2. Select **Credentials**.
3. On the credential card you want to rotate, select the **...** action menu.
4. Select **Rotate Credential**.
5. In the confirmation dialog, select **Rotate Credential** to confirm.


A dialog appears showing the rotated credential's new secret.

Save your new secret now
The new secret is displayed only once. The previous secret is immediately invalidated. Copy and store the new secret before closing.

1. Copy the new secret, then select **Close**.


Update any API clients or integrations using the old secret to use the new one.

## Rename a credential

1. On the credential card you want to rename, select the **...** action menu.
2. Select **Edit**.
3. Update the **Credential name**.
4. Select **Save**.


## Delete a credential

You can delete non-primary credentials that are no longer needed.

Primary credential
The primary credential cannot be deleted. To remove it, you must first designate a different credential as primary, or contact your Ripple representative.

1. On the credential card you want to delete, select the **...** action menu.
2. Select **Delete**.
3. In the confirmation dialog, select **Delete** to confirm.


The credential is permanently removed. Any API clients using the deleted credential will immediately lose access.

## What to do next

- Use the Client ID and secret to authenticate API requests. For instructions, see [Request an access token](/products/payments-direct-2/api-docs/developer-guides/request-an-access-token).
- If you need to control which IP addresses can use the API, see your Ripple representative for network-level access controls.