# Security ## Authentication How API credentials are handled are outside the control of the application and represent the most common areas where security can be potentially compromised. ### ManageBac+ ManageBac uses an **API token** method for authentication. It is strongly recommended to include the token in the **request header** rather than as a query parameter. This helps prevent accidental exposure, as query parameters: * Can be visible in screenshots * May be copied, pasted, or stored unintentionally in browser histories or logs ### OpenApply OpenApply uses **OAuth2**, an industry-standard method for secure API authentication. Each integration requires an **API ID and secret**, which should be treated like a password. To minimize risk: * Store the ID and secret securely in your integration platform * When sharing credentials with a third party, use **separate channels** (e.g., share the ID by secure email and the secret by text message) * **Avoid** sending credentials in plain text via email or storing them in documents with broad access ## Data in Transit All API traffic is transmitted over HTTPS, ensuring that data exchanged between systems is encrypted and secure in transit. ## Mitigating Risk Think of your API credentials as a passcode to your school’s data. Because they grant access to sensitive information, they must be handled with care. To help you manage this, both the **ManageBac+** and **OpenApply** API Managers include security tools: * **Revoke credentials at any time**\ If credentials are accidentally exposed, you can immediately disable them. * **Generate new credentials**\ Refreshing your ID and secret invalidates the previous ones, rendering them useless even if compromised. If you believe credentials may have been mishandled, we recommend refreshing them right away. This simple step ensures continued protection of your data. As a **best practice**, rotate your credentials **every 6 months**. OpenApply will occasionally provide reminders, and our support team is available to assist with this process. By following these guidelines, you can help keep your school’s systems and data safe. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guide.fariaedu.com/integrations-portal/faria-suite/integrating-with-faria-suite-apis/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.