Manage Secret Keys

Secret API keys and webhook decoding keys are generated by your Customer Support representative in PayAdmin. Once the keys are provisioned and shared to you via Keeper, it's your responsibility to manage these secrets safely to prevent leakage to bad actors.

• Store secret keys within a secure Key Management System. This is a type of program that uses encryption and access control to ensure sensitive information is properly handled. After the key is secured, make sure any local copies of the key are deleted.
• Limit access to the secret keys. Use a clear policy defining which users can create, read, or update keys using access control. Periodically audit the access to avoid excess privileges, keeping the list of leakage vectors small enough to manage.
• Don't share the secret keys using insecure means, such as chat messages or email, which circumvent the access control and encryption of the key management system.
• Don't store the secret keys in source code repositories, such as GitHub. If the source code is public, it could be scanned by bad actors for leaked keys. If the source code is private, it might be exposed when cloned to a local file within the development environment of team members. Instead, inject the values into your application using encrypted environment variables managed by an Operations team member.
• Don't embed secret keys in applications. Client-facing software, such as SDKs and mobile apps, can be scanned for leaked keys.
• Audit API logs to monitor suspicious activity. If a compromised secret key is identified, contact your Customer Support representative to generate a new key. Reconfigure your systems with the new key, then request deletion of the old key.