> ## Documentation Index
> Fetch the complete documentation index at: https://developers.luccasoftware.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Best Practices

> Your Lucca account contains sensitive data which you wouldn't want leaked.

<Steps>
  <Step title="Create a new client application for each integration scenario">
    This limits the depth and breadth of OAuth scopes granted to any single client application, reducing exposure in case of a credential leak.
  </Step>

  <Step title="Fewer scopes is better">
    Only give the bare minimum scopes needed to your client application.

    Similarly, only request the subset of scopes needed to achieve what you want when requesting an access\_token. In any case, there's a limit to the number of scopes (max: 4,000 characters) that can be granted to a single access\_token and you will get an error if you attempt to exceed it.
  </Step>

  <Step title="Request a new access token for each new exchange">
    Divide your integration scenario into atomic flows, and generate an access\_token for each one. This makes it possible to give a very restricted set of oauth scopes to each access\_token.

    The Lucca API imposes a short lifetime to all access\_tokens in order to encourage such behavior.
  </Step>

  <Step title="Do not share, commit and/or publish the `client_secret`">
    Make them environment variables. Never commit or push them to your repository.

    If you do, then revoke them via the "client application" administration interface.
  </Step>

  <Step title="Verify webhook-events signatures">
    Make sure your webhook endpoint that receives events [verifies their signature](./webhooks/catching/validate).
  </Step>
</Steps>

***

## Revoking Access

If a `client_secret` or an `access_token` is ever compromised, you should revoke it immediately.

<Steps>
  <Step title="Revoke the client secret">
    Go to the "client application" administration interface in your Lucca account and regenerate the secret for the relevant client application. The old secret becomes immediately invalid.
  </Step>

  <Step title="Rotate your credentials">
    Update the new `client_secret` in your integration and re-generate any access tokens derived from the old secret.
  </Step>

  <Step title="Audit recent activity">
    Review your [webhook delivery logs](./webhooks/troubleshooting) and API usage for signs of unauthorized access.
  </Step>

  <Step title="Report a security vulnerability">
    If you suspect a security breach, please report it via our [support platform](https://support.lucca.fr/) or email [security@luccasoftware.com](mailto:security@luccasoftware.com).
  </Step>
</Steps>
