Skip to content

If a key leaks

“Leaked” means a key ended up somewhere it shouldn’t have — posted in a public place, left in code that got shared publicly, or held by a developer or agency you no longer work with. Treat any of these as a leak, even if you’re not sure anyone used it.

  1. Tell us immediately — don’t wait to confirm whether it was misused.
  2. Tell us which key: the safe-to-share prefix printed on it (for example pk_live_ followed by a few characters) is enough — never re-send us the full key itself, even to identify it.
  3. We turn the old key off and give you a new one.

The old key stops working immediately — the very next request made with it is refused, not the next hour or the next day. There’s no waiting period.

  • Give each website or integration its own key, rather than reusing one key everywhere. If one leaks, you turn off only that one key — everything else using a different key keeps working.
  • Use test keys while building, and only ask for live keys when you’re ready to go live. A leaked test key can’t touch real bookings or real money.
  • Never send a secret key over chat, email, or a support ticket — not even to us. If we ever ask you to paste a full key into a message, that’s not really us asking.

Once we’ve issued your replacement key, update it wherever your old key was used (your website’s server settings, your developer’s config) before telling anyone the old key is gone — the old one truly won’t work anymore starting the moment we turn it off.