Published 26 January 2026, Updated 26 January 2026
- API keys and any scripts calling the endpoints must be secured by the integrator.
- Protect tokens at rest and in transit; do not hardcode them in public repositories.
- Ensure your own data sensitivity policies are enforced when exposing or writing records via the API.
If a malicious actor gets an API Key with write scope, they can call add endpoints to inject records at scale, inflate storage costs, skew reports, and create cleanup work. Treat leaked keys as compromised immediately, rotate them, and review rate limits and write scopes.