This guide will be removed on April 29, 2022. Please use our new, easier-to-use Toast technical documentation site. All updated content is on the new site.

Do this

It is best to do the following things:

  • Save your API credentials as environment variables. If your team needs local access to credential strings, share them using a secret management service and store them in local environment variables.

  • Programmatically retrieve your API credentials at runtime from a secret management service. This allows you to rotate credentials without the need to update environment variables.

  • When possible, visually mask your client secret to decrease the likelihood of displaying the secret when you use a screen-sharing service or when other people can see your computer display.