What is API Key?
API Key is a unique ID, used to authenticate the request API sends to a specific server, in this case, Xendit's server (endpoint).
When you need to send an API request into Xendit, you would require an API Key to be able to authenticate the request (in order for the request to go through).
Secret API Key Security
We have provided security features as explained here. However, we would like to advise you on the following things to ensure that your Secret API Key is safe and not misused by another person:
- Please do not share your Secret API Key with anyone
- Please do not share or save your API Key on the public internet or public code repository such as Github, etc.
- Please regularly rotate your API Key to ensure its safety.
What happens when the Secret API Key has been exposed?
If such a case happens, then there is a chance that you might experience the following:
- Someone else might have access to your transactions
- Someone else might be able to conduct activities that causing loss into your side
Please note that anyone with access to your API Key will be able to use it to create transactions even without needed access to the Xendit dashboard.
How does it happen?
There are some reasons why your API Key being leaked or exposed, such as:
- Sharing the API Key with multiple people
- Sharing or keep the API Key in public internet or public code repository such as (Github, etc)
What must be done when your API Key being exposed?
In the case that your API Key has been exposed or any indication toward that, please do the following:
- Immediately remove your API Key from your Xendit Dashboard
- Add an IP whitelist on your dashboard via the following steps. When you apply an IP address whitelist, API Keys can be only use via the IP address that has been registered.
- Conduct a reset password on your Xendit Dashboard
- Investigate where and how the leak happens to ensure it won't happen again
- Please contact Xendit immediately for other security measurement and fraud prevention steps
If you have further questions regarding Secret API Key, please contact us at firstname.lastname@example.org