Skip to main content
This article defines security and credential management expectations when working with Standalone API Keys. It focuses on how integrations and developers must protect API Keys, maintain access, and respond to key lifecycle events.

Key Security Principles

Standalone API Keys are static credentials with company-level access.
Security responsibilities fall entirely on the integration and the organisation.

Core Principles

  • Treat API Keys as sensitive secrets, like passwords
  • Limit exposure to only the systems that require access
  • Enforce least-privilege scope selection
  • Rotate or revoke keys promptly if compromised
  • Avoid embedding keys in client-side applications

Secure Storage

Required Practices

Integrations must:
  • Store API Keys encrypted at rest
  • Mask keys after initial entry; never display the full key again
  • Persist only on trusted backend systems
  • Protect against accidental exposure in logs, error messages, or code repositories
  • Managed secrets vaults (e.g., AWS Secrets Manager, HashiCorp Vault)
  • Environment variables for backend processes
  • Encrypted database fields on server-side systems
Keys must never be embedded in frontend applications, mobile apps, or client-side JavaScript.

Transmission and Handling

  • Always use HTTPS when sending API Keys to backend systems or Pleo endpoints
  • Avoid passing API Keys via query parameters; use headers where possible
  • Validate API Key format before submission to reduce errors and unnecessary logging

Permission and Scope Management

  • Only request the API scopes your integration actually needs
  • Do not assume full access unless explicitly required
  • Surface permission errors clearly and prevent partial activation
Least-privilege API Keys reduce risk in case of leakage.

Key Rotation and Replacement

Standalone API Keys may expire, be revoked, or rotated manually.
  1. Generate a replacement key in the Pleo Web App (if allowed)
  2. Update the key securely in your integration
  3. Revalidate connectivity and company association
  4. Remove or invalidate the previous key from your systems
Automated reminders or monitoring for key expiry are strongly recommended.

Compromise and Incident Response

If a key is suspected to be exposed:
  • Immediately revoke or replace the key
  • Notify relevant teams and users
  • Confirm the integration is reconnected with a valid key
  • Audit logs to determine if unauthorized requests occurred

Logging and Monitoring

  • Avoid logging the full API Key
  • Only store minimal identifiers for debugging (e.g., last 4 characters)
  • Monitor API responses for authentication failures
  • Alert users promptly when action is required

Summary

Standalone API Keys require careful management:
  • They are static, company-level credentials
  • Security and lifecycle management is integration responsibility
  • Following encryption, masking, scope limitation, and rotation best practices ensures safe and reliable access
Proper operational security complements the UX Guidelines and Integration Design to provide a complete integration strategy.

What Comes Next?