How can we help?

I get emails saying that my secret key is being used from a new IP

Last updated on October 21, 2021

Whenever your Live Secret Key is used for the first time on a server or computer, we will notify you by email and include the IP address and date of usage. Subsequent requests from the same IP will not be alerted.

This is part of our security measures to ensure that your secret key is not used by unauthorised parties. With your secret key, destructive actions could be performed on your account if in the wrong hands. The secret key can be used to make almost any API call, e.g. create new charges, refund existing payments and create transfers - amongst other actions.

You can expect to receive this email regularly if you use cloud deployments, auto-scaling, Heroku, or any service provider that often changes the IP of your server. The IP that Omise’s servers see can also be your server’s gateway IP or your home router IP if you used your secret key from your home computer.

It is recommended that you always review those security emails from Omise and make sure the IPs are trusted by you. If you happen to come across IPs that are from strange locations you should roll your secret keys. For clients using Heroku, solutions that allow you to fix outbound IPs include:

In AWS you can deploy your application servers on a private VPC and run an outbound gateway server (NAT) for your VPC with an Elastic IP.

Using a fixed outbound IP will ensure that Omise’s servers always see the same IP for every API request, and will only notify you when your secret key is accessed by unknown IPs.

Can’t find your answer?

Get in touch with us and we’ll get back to you as soon as possible

Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more