Testing vendor APIs with live credentials


Provide examples of how to use API credentials, to encourage good credential hygiene amongst Login.gov engineers.

See also: TTS Handbook page on Sensitive Information

Approved places to put credentials

  • Google Docs (with limited visibility/permissions)
  • Google Sheets (with limited visibility/permissions)
  • Google Chat (not persisted)
  • S3 config YMLs
  • AWS Secrets Manager



  • Do not share credentials in Slack (FOIA-able)
  • Do not store credentials on developer laptops at all
  • Do not commit credentials to source

Example Workflow

Goal: test against a brand new partner API using live credentials for their test/sandbox/staging environment

Note: Production credentials and sending production data should only happen in the production environment (prod, staging, dm)

  1. Write code locally, read secrets from IdentityConfig.store.xyz
  2. Upload actual credentials to S3 YML in a sandbox env (for test credentials) or prod env (for live credentials), use app-s3-secret
  3. Open a remote rails console, ssm-instance rails-c
  4. Manually paste in code to that Rails console (monkey patching)
  5. Run the code in that Rails console
  6. (repeat step 4-5 as needed to iterate)