You are receiving unexpected subscriptions created daily at 3 AM, likely due to an automated process (such as a cron job) from an unknown source, possibly implemented by a previous developer. You want to reset the client secret without disrupting the production app. Additionally, you would like to identify the origin of the unauthorized subscriptions.

Solution: Currently, there is no way to reset an application’s client secret directly. To resolve this issue without disrupting your production app, follow these steps:

1. Clone Your Existing Application:

   • Cloning the application will generate a new client ID and client secret.

   • This ensures that you have a fresh set of credentials to use for your legitimate production instance.

2. Update Your Production App with the New Credentials:

   • Replace the old client ID and client secret with the newly generated ones in your application.

   • Verify that your application continues to function properly with the new credentials.

3. Suspend the Old Application:

   • Once you have confirmed the new credentials are working correctly, suspend the old application.

   • This will prevent any unauthorized API calls using the previous client ID and secret.

4. Monitor for Unauthorized Activity:

   • Any unauthorized app still using the old credentials will start receiving rejections from the API.

   • Monitor logs for attempted API calls using the old credentials to help identify the origin of the unexpected subscriptions.

Identifying the Origin of Unexpected Subscriptions: While there is no direct way to trace the source of these subscriptions, you can take the following actions:

• Check server logs for API call timestamps and source IP addresses.

• Review code repositories for old credentials or cron jobs that might be running the subscription process.

• Work with your IT team to identify any unauthorized scripts or third-party integrations using the old credentials.