Protecting Sage Intacct Developer Credentials

Safeguarding your authentication credentials for Sage Intacct APIs is fundamental to integration security and operational continuity. The legacy Sender ID approach and the preferred Web Services ID method present distinct risks and security controls.

Legacy Sender ID / Password

• Purpose: Used for connections via the older XML-based API; single universal credential for an environment.
• Risks: Sender ID and password are identical for all users and integrations. Password changes require a Sage support ticket and disrupt all integrations relying on the Sender ID.
• Limitations: Lacks user- or role-based access controls; Sender ID alone does not grant access to company data without additional context.
• Best Practice: Do not share Sender ID or password outside your organization. Store these credentials in a secure, centralized system (ideally encrypted and access-controlled), and document every integration where they are used for easy updates. Prefer dedicated vault tools or encrypted application settings.

Web Services ID / Password

• Purpose: Used with the more secure API features and provides individual credentials per integration.
• Benefits: Enables assignment of custom roles and permissions, supporting the principle of least privilege. Credentials are unique per integration and can be disabled instantly for revocation and control.
• Recommended Use: Set up tailored roles for each integration limiting access only to necessary functionality (avoid full Admin). Use the company email or specific integration contact for credential notifications.
• Credential Management: Maintain records of active Web Services IDs, store them securely, and regularly audit access. Revoke and rotate as integrations change.

Company ID / Instance Name

• Required for any integration as the environment identifier; treat as sensitive metadata and limit distribution to necessary staff and applications.

Tracking and Credential Rotation

• Keep a secure, up-to-date inventory of all Sender IDs and Web Services IDs in use. Document all locations and applications where these IDs are embedded.
• For vendors or third-party applications, use a secure utility or portal for credential entry that stores these details encrypted and inaccessible to end users.
• Rotate credentials periodically and after any personnel or integration changes. Use Sage support to reset Sender ID passwords as needed, and promptly update all dependent integrations.

Final Recommendations

• Always prefer Web Services ID authentication with role-based privileges and individual credentials per integration.
• Store all credentials in encrypted vaults or configuration secrets—not in code or shared spreadsheets.
• Maintain documented mappings of credential use across all platforms and integrations for rapid updates when changes are needed.
• Periodically audit Sage Intacct roles/permissions and integration credential usage to prevent overlooked risks or forgotten statically coded values.

This approach will significantly improve your credential management, reduce business risk, and sharpen the security of your Sage Intacct integrations.