Introduction

We partner with Github's Secret Scanning Program to detect your leaked secrets. Although client only keys are meant to be publicly accessible, full access keys carry many more privileges and should be safely guarded. If one is ever to be exposed in a public space like a public Github repository, immediate action must be taken to protect your account and information. Please follow the guide below in order to deal with any leaked secrets.

Replace

Before revoking your key, it's important to first generate a new one to take its place so as to not disrupt any applications or other backend systems that rely on the leaked key.

1. Navigate to Settings >> API Keys in your Business Account. Here, you can click the Generate Full Access Key button to generate a new key to use.
2. Make sure to apply any settings you had configured in the old key to this new key to persist the correct permissions.
3. Edit any of your applications and environment variables to use this newly generated key.

Revocation

Once you have ensured that revoking the old key won't negatively impact your applications, it's time to revoke the leaked secret.

1. Navigate to Settings >> API Keys in your Business Account if you aren't already there.
2. Identify the leaked secret in your list of API Keys by its NAME and VALUE.
3. Once identified, click the trash can icon in the row of the corresponding key to revoke it.

Audit for Unauthorized Use

Now that you've successfully replaced and revoked the leaked key, it's recommended that you review your transaction history and API logs for any suspicious activity that may have occurred using your leaked key.