- Added a warning message to prevent a reviewer from losing work if they try to move to the previous/next review without saving their changes.
- Fixed an issue with scoring where sorting by average score would not accurately reflect the order.
- Fixed an issue with the Apply Connect Integrations page displaying an incorrect value for Client Secret. See below for more details.
On January 25th, 2024 we released a security update that included a change to how API credentials are generated and stored in Apply. Because of this update, the client secret visible on the Apply Connect integrations page was displaying a value meant to be used internally rather than the plain-text version that was visible before.
For any user who had API credentials generated before January 25th and who used the API on or after that date, an issue would occur if they tried to programmatically refresh their access token and may have resulted in users copying the internal client secret to get their API connections up and running again.
- We have updated the Apply Connect integrations page to display the plain-text secret when the credentials are first generated. , afterward it will display as hidden and it cannot be recovered. Make sure you copy it and keep it somewhere safe before navigating away from the page otherwise you'll need to revoke and regenerate.
- If you lose your credentials or they're compromised, you will need to use the button on the page to delete the existing credentials, and regenerate new ones to continue using the API.
We will allow the updated client secret that was shown between January 25th and this release to continue to work until , after which any user who has not revoked and regenerated new credentials will need to in order to continue using the API.
- If you have been using the API since before January 25th and have your original client ID & secret, you don't need to do anything except start using your plain-text client secret again.
- If you do not have the original secret anymore, or first generated API credentials on or after January 25th, you will need to go to > > and use the button to revoke the existing credentials, then generate new ones if you want to keep using the API. Do this before so that your API usage is not impacted when we stop accepting the other secret.
Unfortunately, due to the secure nature of how these are stored in our database, we are not able to provide you with your original secret. If you do not know your original secret, you will need to revoke and regenerate the credentials.
No. The client secret displayed in error is still unique for every user and only users who had API access would have had access to the view where the credentials are displayed.
As security standards evolve, we constantly re-evaluate our own practices and incorporate these improvements into Apply. In this case, this means updating how we handle and store client secrets in our database so that they would be useless to anyone who didn't already know the original value. We can only validate that a value passed to us matches the stored value, we don't have access to the original value once it’s saved.
- With the update on January 25th we increased the access token expiry time to 30 days (from 2 hours).
In today’s release we added support for revoking both access token and refresh tokens through the /api/o/revoke_token/ endpoint. Check out our API documentation for more information.