Application Management API

Learn how to use the Application Management API.

You use the Application Management API to rotate the client secret on registered applications.

Current version	Legacy versions	Available to sellers	Available to vendors
v2023-11-30 (Reference \| Model)	None	Yes	Yes

Release notes

To learn more about the terms that are used in this guide, refer to Terminology.

Use cases

The following use case examples are available for the Application Management API v2023-11-30:

Set up credential rotation notifications: Set up a credential rotation notification in Amazon Simple Queue Service (Amazon SQS) queue that alerts you when your credentials need to be rotated.
Rotate your application's client secret: Call the rotateApplicationClientSecret operation to rotate your client secrets.

Roles

rotateApplicationClientSecret

Attribute	Value
Regions	N/A
Required roles (need at least one)	None (grantless)

You must register an Amazon Simple Queue Service (Amazon SQS) queue for receiving credentials before you call the rotateApplicationClientSecret API operation. When you make the API call, a new client secret is created for the application that you're calling. The new credential is sent to your preregistered SQS queue along with the expiry time for the old credentials. You must update your application to use the new credential before the old credential expires.

Best practices

Use the expiration notification: We recommended using the expiration notification to invoke a rotation. The expiry time that is in the expiry notification serves as an indicator of when you need to rotate credentials.
Enable server-side encryption for SQS: For security, enable SQS server-side encryption and grant Amazon access to write to your SQS queue. For more information, refer to Grant Selling Partner API permission to write to your SQS queue.
Store your credentials in your application's credential vault: For security, make sure you don't pass the secret in an unencrypted format. We recommended storing credentials in a credential vault, such as KMS custom keys store.
Test your integration: Use the Application Management API on a draft application before using it on a production application. You can then test your infrastructure for loading the secret from your SQS queue to your application secret vault independently of your production application. After you receive the new secret for the draft application, use it to make sure it works.

Updated about 16 hours ago