Back to Help Center
Troubleshooting

Use developer settings and API tokens safely

Treat API tokens as sensitive credentials and use developer settings only when you understand the integration you are building.

5 min readUpdated Jul 8, 2026
Audience

Technical hosts, teams, and collaborators using developer or integration features.

User need

I want to use developer settings without exposing private tokens or attendee data.

Developer settings can affect real data

Developer features are useful for integrations, automation, and technical workflows. They can also touch events, registrations, organizations, and attendee data.

Use them carefully. A leaked token can create privacy, billing, or operational risk depending on what the token can access.

Token safety rules

Store tokens in a secure secret manager or environment variable.

Never commit tokens to GitHub or share them in screenshots.

Do not send tokens to support unless support explicitly provides a secure process.

Use the least access needed for the integration.

Rotate or revoke tokens when a teammate leaves or a secret may be exposed.

Avoid using production attendee data for unnecessary tests.

When an integration breaks

1

Check the workflow

Identify whether the issue affects event creation, event updates, registrations, attendee export, payments, or another integration path.

2

Review recent changes

Look for token rotation, permission changes, organization changes, API response changes, or deployment changes.

3

Capture safe evidence

Send endpoint path, timestamp, error code, request ID from logs when you have one, and redacted screenshots.

4

Redact secrets

Remove bearer tokens, API keys, private URLs, attendee emails, card details, and identity data unless support gives a secure instruction.

5

Contact support

Use support with safe debugging details and explain the business impact.

Never commit secrets

Do not commit API tokens, payment secrets, webhook secrets, database URLs, or private keys to a repository. If a secret is committed, rotate it immediately.

FAQ

Can I send an API token to support?

No, not in a normal support message. Share safe context first. Support can ask for a secure process if a secret is truly required.

What should I do if a token was exposed?

Revoke or rotate it as soon as possible, then review recent integration activity and contact support if attendee or event data may be affected.

Can I test with real attendee data?

Avoid it unless necessary. Use minimal, redacted, or test data whenever possible.

Related guides