Skip to main content
<   Back to Blog Articles

Securing API Tokens

Carlyn Manly

KeyWhen a specialist clicks on him/herself in the far right of the toolbar and selects the option ‘My Profile’, it used to be possible for this person to go to the ‘API’ section and see his/her API token.

This is considered a potential security risk. An attacker who managed to gain access to someone’s Xurrent session, could look up this person’s token to later make transactions using Xurrent’s REST API.
That is why, from now on, an API token is only presented once to its owner. The owner is subsequently expected to treat this token like a password. In order to see a valid API token, people now need to click on the Reset API token button. This warns the user that any integrations that rely on the current API token will stop working unless they get the new token after the reset has completed.
Warning message before reset of Xurrent API token
Once the token has been reset, it is visible only once to allow its owner to copy it and store it securely in a password management application.
Xurrent API token is visible only once after reset

Stay up to date on the latest posts

Sign Up Now!