This guide will be removed on April 29, 2022. Please use our new, easier-to-use Toast technical documentation site. All updated content is on the new site.
It is best to do the following things:
-
Save your API credentials as environment variables. If your team needs local access to credential strings, share them using a secret management service and store them in local environment variables.
-
Programmatically retrieve your API credentials at runtime from a secret management service. This allows you to rotate credentials without the need to update environment variables.
-
When possible, visually mask your client secret to decrease the likelihood of displaying the secret when you use a screen-sharing service or when other people can see your computer display.