# Manage API credentials API credentials let your systems interact with Wallet-as-a-Service (Palisade) programmatically. Every credential authenticates with **OAuth 2.0 client credentials** (this is the only supported flow) and is **scoped with a permission set** that defines exactly what it can do. As an owner or administrator, you create, scope, and manage credentials to control what each integration can access. ## How API credentials work Each API credential consists of a **client ID** and **client secret**. Your application exchanges these for a time-limited Bearer token (valid for 1 hour) that authenticates API requests. Permission sets scope credentials and define exactly what the credential can do. Each permission has four components: | Component | Description | | --- | --- | | **Type** | The resource category (for example, `balances`, `key`, `vault`) | | **Action** | The operation (`create`, `delete`, `read`, `update`) | | **Scope** | How broadly the permission applies (`org`, `vault`, `key`) | | **Resource** | A specific vault or wallet (optional — leave blank for all resources in the scope) | ## Create API credentials 1. Go to **Settings** > **API credentials**. 2. Select **Create credentials**. 3. Select a **permission set type** — this pre-populates a set of default permissions: | Permission set type | What it grants | | --- | --- | | **Wallets** | Manage wallets and vaults | | **Transactions** | Manage transactions | | **Controls** | Manage policies and addresses | | **Monitoring** | Webhooks and auditing | 1. Enter a **name** (5–50 characters). Choose a descriptive name that identifies the integration (for example, "Production - Transaction Service"). 2. Enter an optional **description** (5–50 characters). 3. Configure **IP addresses**: - **All IP addresses** (`0.0.0.0/0`) — suitable for sandbox testing. - **Limited IP addresses** — enter up to 6 IPv4 addresses or CIDR ranges. Use this in production. 4. Review the default permissions. Select **Add another permission** to add more, or **Remove** to delete one. 5. Select **Generate credentials**. 6. Copy the **client ID** and **client secret**. Store the client secret securely Palisade displays the client secret only once. Store it in a secrets manager or secure vault. If you lose it, you must delete the credential and create a new one. ## Scope credentials with least privilege Apply the principle of least privilege to every credential: - **Use the narrowest scope** — if a credential only needs access to one vault, set the scope to `vault` and specify that vault as the resource. Avoid `org` scope unless the credential genuinely needs organization-wide access. - **Limit actions** — grant only the actions the integration needs. A monitoring service needs `read` only, not `create` or `delete`. - **One credential per integration** — create separate credentials for each service or application. This limits the blast radius if someone compromises a credential. Scoping example A transaction monitoring service needs to read transactions across all vaults but must not create or modify anything. Create a credential with the **Monitoring** permission set type, then remove any `create`, `update`, or `delete` permissions. Keep only `read` actions. ## Configure IP whitelisting IP whitelisting restricts which network addresses can use a credential. - **Sandbox** — use **All IP addresses** for convenience during development. - **Production** — always use **Limited IP addresses** with the specific IPs or CIDRs of your application servers. You can configure up to 6 IP entries per credential. Each entry can be a single IPv4 address or a CIDR range. ## Disable a credential Disabling a credential immediately prevents it from authenticating. Existing tokens issued by the credential continue to work until they expire (up to 1 hour). Use disabling when: - You suspect credential compromise - A team member who managed the integration leaves - You need to temporarily pause an integration for maintenance 1. Go to **Settings** > **API credentials**. 2. Select the credential. 3. Select **Disable**. To re-enable, open the credential and select **Enable**. ## Delete a credential Deleting permanently removes the credential. Any integration using it stops working immediately after existing tokens expire. 1. Go to **Settings** > **API credentials**. 2. Select the credential. 3. Select **Delete**. 4. Confirm the deletion. ## Best practices - **Rotate credentials regularly** — delete old credentials and create new ones on a defined schedule (for example, quarterly). - **Monitor credential usage** — use [audit logging](/products/wallet/admin-guide/configure-audit-logging) to track which credentials are making API calls and when. - **Require approval for new credentials** — set up an approval group for API credentials to prevent unauthorized creation. See [Configure approval flows](/products/wallet/admin-guide/configure-approval-flows). - **Use IP whitelisting in production** — never use "All IP addresses" in production environments. - **Separate by environment** — use different credentials for sandbox and production. Never share credentials across environments. - **Document credential ownership** — record which team or service owns each credential and who is responsible for rotating it. ## Related guides - [API credentials best practices](/products/wallet/user-interface/api/api-credentials-best-practices) — Step-by-step reference with code examples - [What are credentials in Palisade](/products/wallet/user-interface/api/what-are-credentials-in-palisade) — Conceptual overview - [Manage API credentials](/products/wallet/user-interface/api/manage-api-credentials) — Reference documentation - [Getting started with the API](/products/wallet/getting-started/getting-started-api) — End-to-end API walkthrough - [Configure approval flows](/products/wallet/admin-guide/configure-approval-flows) — Require approval for credential creation