API Key Security

For Brands

API keys give third-party agencies and integrations read access to your brand’s data. Because they grant real access, they need to be managed with the same care as passwords.

When you’d use this

• Issuing a key to an agency and wondering how to scope it safely
• Received an email saying a key was auto-revoked and don’t know what to do
• Setting a rotation policy for your integrations
• Responding to a leaked or potentially compromised key

---

Treat keys like passwords

An API key is equivalent to a password for your brand’s data. Anyone who holds the key can read everything it has access to — location profiles, leads, analytics, content.

Never:

• Commit a key to a Git repository (even a private one)
• Put a key in client-side JavaScript or a mobile app
• Send a key in Slack, email, or any other messaging platform
• Share a key between multiple agencies or projects

Always:

• Store keys in environment variables or a secrets manager (Vault, AWS Secrets Manager, 1Password Secrets Automation, etc.)
• Issue a separate key per agency or integration — one key per relationship
• Set an expiry date when issuing to a temporary contractor or agency

---

Rotation cadence

Rotate API keys on a regular schedule, even if nothing has gone wrong. This limits the exposure window if a key was silently compromised.

Recommended cadence:

Relationship	Rotation interval
Ongoing agency / integration	Every 90 days
Project-based contractor	At end of project, or 30 days — whichever is sooner
Any key with no expiry set	Review quarterly; set an expiry

To rotate a key:

1. Go to Integrations → API Keys in the admin
2. Click ⋯ → Rotate next to the key
3. Copy the new key shown in the modal
4. Update the agency’s or integration’s configuration with the new key
5. Confirm the integration is working before closing the modal — the old key is invalid immediately

⚠️ Warning

The old key stops working the moment you rotate. Make sure you can update the integration before rotating — not after.

---

Revoking a key when an agency relationship ends

When you stop working with an agency, revoke their key before their access ends — not after.

1. Go to Integrations → API Keys
2. Click ⋯ → Revoke
3. Add an optional reason (e.g., “Agency contract ended 2026-06-01”) — this appears in the audit log
4. Confirm

Revocation is immediate and permanent. The key cannot be un-revoked. If you need to restore access, issue a new key.

---

What to do if a key leaks

If a key may have been exposed — found in a commit, shared over an insecure channel, or included in a bug report — treat it as compromised.

Immediate steps:

1. Revoke the key now. Do not wait to confirm whether the leak was exploited. Go to Integrations → API Keys → ⋯ → Revoke.
2. Review the audit log. Click the key name to open the detail view → scroll to the audit log. Look for unexpected IP addresses, unusual usage patterns, or used events outside business hours.
3. Issue a replacement. Create a new key with a fresh name and a short expiry date. Give it only the location scope the integration actually needs.
4. Notify the agency if they need to update their configuration with the new key.
5. Investigate the root cause. If the key was in a Git repository, use git log -S "kl_live_" to find the commit and remove it from history.

🚨 Danger

Removing a key from a Git commit does not revoke the key. Anyone who cloned or forked the repository before the removal still has the key. Revoke first, investigate second.

---

Understanding auto-revocation

KynectLocal automatically revokes a key after 5 consecutive failed authentication attempts within 5 minutes. This protects you if an attacker is attempting to brute-force or enumerate keys.

When auto-revocation fires, all active brand admins receive an email with the subject:

Security alert: an API key for [Brand] was automatically revoked

The email includes the key name, the number of failures, the time they occurred, and the IP address of the last attempt.

What to do when you receive this email

If you recognize the activity — for example, an agency recently changed their configuration and is sending the wrong key:

1. Contact the agency to fix their integration
2. Go to Integrations → API Keys → issue a new key with the correct value
3. Give the new key to the agency

If you do not recognize the activity:

1. Review the IP address in the email against any known agency or integration IPs
2. Check the audit log for the revoked key — look for any successful used events before the failures started
3. Check whether any other active keys may have been exposed through the same channel as the compromised one
4. Rotate all keys that share the same scope as the revoked key as a precaution
5. If you believe a data breach may have occurred, contact support@kynectlocal.com

---

Scoping keys to limit exposure

When creating a key, you can restrict it to one or more specific locations rather than giving it brand-wide access. Use this to limit the blast radius if a key is compromised.

Scope	Use when
All locations	The agency manages data for all your locations
Specific locations	The agency is hired for a subset of locations (regional rollout, pilot market, etc.)

You cannot change a key’s scope after creation. If you need a different scope, revoke the key and issue a new one.

---

Audit log

Every key has an audit log showing:

• When the key was created and by whom
• Every rotation event
• Revocation (manual or auto)
• Authentication failures (sampled)

Access it from Integrations → API Keys → click a key name → Audit Log tab.

The audit log is append-only and cannot be cleared. It is available for as long as the key exists in the system.

---

Related

• Integrations — connecting third-party platforms to your brand
• Authentication — how third-party developers use the key in API requests
• Rate Limits — per-key request limits
• Team — manage who has brand admin access to issue and revoke keys