If a key leaks
“Leaked” means a key ended up somewhere it shouldn’t have — posted in a public place, left in code that got shared publicly, or held by a developer or agency you no longer work with. Treat any of these as a leak, even if you’re not sure anyone used it.
What to do
Section titled “What to do”- Tell us immediately — don’t wait to confirm whether it was misused.
- Tell us which key: the safe-to-share prefix printed on it (for example
pk_live_followed by a few characters) is enough — never re-send us the full key itself, even to identify it. - We turn the old key off and give you a new one.
What happens when we turn a key off
Section titled “What happens when we turn a key off”The old key stops working immediately — the very next request made with it is refused, not the next hour or the next day. There’s no waiting period.
Practical habits that make this easier
Section titled “Practical habits that make this easier”- Give each website or integration its own key, rather than reusing one key everywhere. If one leaks, you turn off only that one key — everything else using a different key keeps working.
- Use test keys while building, and only ask for live keys when you’re ready to go live. A leaked test key can’t touch real bookings or real money.
- Never send a secret key over chat, email, or a support ticket — not even to us. If we ever ask you to paste a full key into a message, that’s not really us asking.
After a leak
Section titled “After a leak”Once we’ve issued your replacement key, update it wherever your old key was used (your website’s server settings, your developer’s config) before telling anyone the old key is gone — the old one truly won’t work anymore starting the moment we turn it off.