Security
Protect your PayMongo account with API key management, multi-factor authentication, and security logs.
Securing your PayMongo account is critical. Your account contains sensitive credentials and configuration that controls live payments. This section covers the security controls available to you and best practices for keeping your account safe.
What this section covers
PayMongo provides three layers of security on your merchant account:
- API keys — authenticate every request to the PayMongo API.
- Multi-factor authentication (MFA) — email-based OTP required at login and for sensitive actions.
- Security logs — an audit trail of login events, key changes, and account modifications.
Together, these controls help you prevent unauthorized access, detect suspicious activity, and meet your compliance requirements.
Security principles
When managing your PayMongo account, follow these principles.
Separate test and live credentials. Use pk_test_ and sk_test_ for development; use pk_live_ and sk_live_ only in production. Never test against live keys — live keys process real transactions with real money.
Protect secret keys. Treat sk_test_ and sk_live_ like passwords. Don't share, hardcode, or commit them. Store them only in environment variables or a secret manager. If a secret key is exposed, regenerate it immediately from the dashboard.
Use public keys client-side. pk_test_ and pk_live_ are safe to expose in web, mobile, and public repositories. They can create tokens and payment sources but cannot retrieve data.
Keep MFA in place. MFA is mandatory and on by default. Check your registered email regularly — OTPs are sent there for sensitive actions.
Monitor activity. Review security logs for unusual login patterns or key access. If you see something unrecognized, change your password and regenerate API keys before investigating further.
Detailed security topics
For comprehensive guidance on specific security features, see:
How to generate, rotate, and revoke API keys — and best practices for keeping them secure across different environments. Learn how to authenticate requests and manage test vs. live keys.
How to use MFA on your account with email-based OTP verification. Understand when MFA is triggered, troubleshoot login issues, and recover lost access.
How to access and interpret the audit trail of login events, key changes, and sensitive actions on your account. Monitor suspicious activity and maintain compliance.
Where to get help
If you have security concerns or need assistance:
- General questions: Check the relevant sub-section above (API Keys, MFA, Security Logs)
- Account access issues: See Multi-Factor Authentication
- Suspected compromise: Contact [email protected] immediately with details and timestamps
- Key rotation assistance: Contact [email protected] if you need help coordinating key rotation across multiple systems
- Compliance/audit needs: Contact [email protected] to discuss security logs export and retention
Next steps
- Account Setup — Learn how to create and activate your account
- Team & Roles — Manage team member access and permissions
- Troubleshooting — Solve common account and security issues
Updated about 4 hours ago