Hi MG, Resetting the developer token every month doesn't give you any extra benefit from a security standpoint. The only situation in which it makes sense to reset a developer token is when it gets shared with someone, and you don't want to make the person making API calls using that token. On the other hand, resetting a developer token means that you have to redeploy your application with the new developer token (since the old token no longer works), and it becomes difficult for us to troubleshoot an issue you may have, since the issue might have happened a couple of months back, and tracking by token becomes difficult since you'd have reset the developer token couple of times by then. Developer token doesn't influence account ACLs.
You can reset the clientSecret as part of the security policy. When doing an offline flow, ClientSecret is the secret passphrase that proves to the authentication server that the client app is authorized to make a request on behalf of the user. See some discussion here <http://salesforce.stackexchange.com/questions/14009/whats-the-benefit-of-the-client-secret-in-oauth2> . IMO the best way to enforce a password policy would be to require that your AdWords account's password is reset AND your refresh token is revoked at regular intervals. Cheers, Anash P. Oommen, AdWords API Advisor. On Monday, September 29, 2014 10:17:44 AM UTC-4, AdWordsApiUser wrote: > > Thanks for your reply Josh! > > We're putting in an internal security policy in place, and are deciding > what all should be reset every month (think of it as enforcing a periodic > password change policy). > > There is also the client secret that can be reset in Google API console. > Should we reset that instead? Could you also confirm if resetting the > client secret would have any impact on existing OAuth2 grants? > > Out of curiosity, why does the API team recommends not resetting the > developer token? > > Cheers, and have a good week everyone! > MG > > > > On Monday, September 29, 2014 7:31:09 PM UTC+5:30, Josh Radcliff (AdWords > API Team) wrote: >> >> Hi MG, >> >> No, the OAuth2 grants will not be lost. The developer token is not linked >> to the OAuth2 credentials. However, if you take this approach you'll have >> to ensure that any code using the previous developer token picks up the new >> one. Per the *AdWords API Center*: >> >> Please note that we advise against resetting your developer token, except >>> in rare cases such as compromised or stolen token. When you reset it: >>> Any code using your previous developer token will not function. >>> This action is final and cannot be undone. >> >> >> What is the motivation behind resetting the developer token on a monthly >> basis? >> >> Cheers, >> Josh, AdWords API Team >> >> On Sunday, September 28, 2014 7:16:01 AM UTC-4, AdWordsApiUser wrote: >>> >>> Hello, >>> >>> My boss wants me to reset the developer token every N days. Would the >>> OAuth2 grants be lost once I do that? >>> >>> Thanks! >>> MG >>> >> -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog and Google+: https://googleadsdeveloper.blogspot.com/ https://plus.google.com/+GoogleAdsDevelopers/posts =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/adwords-api. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/bd2ecd16-9f31-42f9-a4fc-0ca157940a82%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.