We have provided security features as explained in the previous articles below:

• What are the Xendit Data security features? 
• What are the Xendit Cloud security features?
• What are the Xendit Account security features?

However, we would like to advise you on the following things to ensure that your Secret API Key is safe and not misused by another person:

• Do not share your Secret API Key with anyone
• Do not share or save your API Key on the public internet or public code repository such as Github, etc.
• Regularly rotate your API Key to ensure its safety.

What happens when the Secret API Key has been exposed?

If such a case happens, then there is a chance that you might experience the following:

• Someone else might have access to your transactions
• Someone else might be able to conduct activities that causing loss into your side

Please note that anyone with access to your API Key will be able to use it to create transactions even without needed access to the Xendit dashboard.

What must be done when your API Key being exposed?

In case that your API Key has been exposed or any indication toward that, please do the following:

• Immediately remove your API Key from your Xendit Dashboard
• Add an IP whitelist on your dashboard via the following steps.
  • When you apply an IP address whitelist, API Keys can be only use via the IP address that has been registered.
• Conduct a reset password on your Xendit Dashboard
• Investigate where and how the leak happens to ensure it won't happen again
• Please contact Xendit immediately for other security measurement and fraud prevention steps

If you have further questions regarding Secret API Key, please contact us at help@xendit.co