- Never commit keys to source control
- Use environment variables or secret managers
- Rotate keys if compromised via Merchant Admin
- Use Woo bootstrap keys only for connect; runtime uses dedicated keys
- Bootstrap keys cannot create invoices (returns HTTP 403)
Security
Api Key Security
Meum security guidance for api key security.
Store API keys like passwords.