Create a new client application for each integration scenario
This limits the depth and breadth of OAuth scopes granted to any single client application, reducing exposure in case of a credential leak.
Fewer scopes is better
Only give the bare minimum scopes needed to your client application.Similarly, only request the subset of scopes needed to achieve what you want when requesting an access_token. In any case, there’s a limit to the number of scopes (max: 4,000 characters) that can be granted to a single access_token and you will get an error if you attempt to exceed it.
Request a new access token for each new exchange
Divide your integration scenario into atomic flows, and generate an access_token for each one. This makes it possible to give a very restricted set of oauth scopes to each access_token.The Lucca API imposes a short lifetime to all access_tokens in order to encourage such behavior.
Do not share, commit and/or publish the `client_secret`
Make them environment variables. Never commit or push them to your repository.If you do, then revoke them via the “client application” administration interface.
Verify webhook-events signatures
Make sure your webhook endpoint that receives events verifies their signature.
Revoking Access
If aclient_secret or an access_token is ever compromised, you should revoke it immediately.
Revoke the client secret
Go to the “client application” administration interface in your Lucca account and regenerate the secret for the relevant client application. The old secret becomes immediately invalid.
Rotate your credentials
Update the new
client_secret in your integration and re-generate any access tokens derived from the old secret.Audit recent activity
Review your webhook delivery logs and API usage for signs of unauthorized access.
Report a security vulnerability
If you suspect a security breach, please report it via our support platform or email security@luccasoftware.com.