How to Keep Your Account Secure

Last updated at:


It is important to always ensure that your Klaviyo account and data are as secure as possible. Especially during times of increased traffic to your site and messaging from your brand, keep in mind how you configure your communication and assign roles in your account.

In this article, we’ll go over two crucial security checkups to execute:

  • Public versus private API key security checkup
  • User review and access checkup

Public vs. Private API Key Security Checkup

To access your account’s API keys, head to Account > Settings > API Keys. Your public key, i.e., your site ID, is in the table in the first section of this page, whereas your private keys are listed in the second table labeled Private API Keys.apikeyupdate.png

Private API keys read data from Klaviyo and manipulate sensitive objects such as lists. It’s important to keep private API keys private — treat them like passwords, kept in a safe place and never exposed to the public. Meanwhile, your public API key is your account identifier. Use your public API key and not your private API key when configuring and using the Klaviyo JavaScript library.

Private API keys all start with the prefix “pk_” and are followed by 34 alphanumeric characters. For example, a private key will look something like: pk_abc123def456ghi789jkl0mno123pqrst4.

Take care not to accidentally use a private API key instead of your public one, in particular when using the JavaScript libraries available at This can lead to abuse of your account if a malicious actor finds the private key. If you use the wrong API key within your JavaScript, you will also not be able to successfully collect or utilize the applicable data.

Verify That the Klaviyo JavaScript Uses Your Public API Key

Klaviyo requires your public API key when downloading the klaviyo.js JavasScript file. This allows the JavaScript to properly associate customer and visitor data with your company. To accomplish this, the company_id should be set to your public API key when referencing the JavaScript.

To verify that you’re using the public API key, view the line of code in your HTML that references the JavaScript. To do so, open your website using the chrome browser. Then, right click and select View Page Source. When the new page opens, select Edit > Find > Find... and search for "pk_".

Inspect the value located at “API_KEY” below to ensure that it is your public API key (i.e., site ID):

script async type=”text/javascript” src=”//
  klaviyo.js?company_id=API_KEY” ></script>

Make sure that your private key is not used as a company_id, "token" value, or, in rare cases, account value. If you don't find it when searching, have your developer verify. If it uses a private API key (value starts with “pk_”), review the section below on what to do if your private API key was exposed.

Verify That You Use Your Public Key to Call the Action, Identify, or Track APIs

Note, if you only use the _learnq object that’s automatically added by the Klaviyo JavaScript and have verified that this is configured correctly, then you are using your public API key.

When developing an application or integration that directly calls the following APIs, you must use your public API key:

Review the token value and verify that it uses your public API key. If the token value begins with “pk_” then you’re using your private key and need to review the section below on what to do if your private API Key was exposed.

Review how the data passed to the API is created and verify that the token value is set to your public API key within the JSON data blob. Below is an example of JSON structure:

"token" : "PUBLIC_API_KEY",
"properties" : {
"$email" : "",
"$first_name" : "Thomas",
"$last_name" : "Jefferson",
"Plan" : "Premium",
"SignUpDate" : "2016-05-01 10:10:00" }

What To Do if Your Private API Key Was Exposed

If your private API key was used instead of your public API key, record the private API key (you will need that later) and replace it with your public API key. This will allow your code to work as expected within the Klaviyo platform. You will then need to delete and replace the exposed key in order to protect your company and customer data from unauthorized exposure.

First, identify all integrations and applications you may have. This includes commercial integrations and custom code. For each integration and application that uses an exposed private API key, create a new key in your account settings by selecting Create API Key.

Then, give the key a meaningful label for quick identification in the future by selecting the pencil icon next to the label. Assign a label in the Update API Key Label modal, select Save API Key.


Each integration should have a unique private API key to simplify key management. Update the integration with the new private API key by following the integration’s instructions on how to update the API key.

Once all integrations that used the exposed key have been updated, delete the exposed API key. The delete option will appear when you hover over the key. Be careful to select the correct key to delete, as there is no verification when the delete button is selected. Once deleted, you will have protected your data from unauthorized access via the exposed private key.

For more information on API key security, head to Manage Your Accounts API Keys.

User Management and Data Access Checkup

It is important to understand who has access to different features and information in your account. To see all users who have access to your account, head to the account dropdown in the upper right corner of your screen and select Account. Then, click Settings > Users.


Periodically reviewing the users within your account and their access level is an important security activity. There are three activities that will help secure your account:

  • User Review
    Review all users in your account and identify any who longer requires access. Common reasons for removing access include: role change within the company, termination of an employee, or contract expiration of a 3rd party vendor. Delete any users that should no longer be active by selecting the X next to their email.
  • Role Review
    Ensure that each user has appropriate permissions and can only access the data and functionality that is required to execute their job. For information around what user roles have access to, head to User Management and Privileges.
  • Two-Step Authentication
    Two-step authentication adds an additional layer of security for your account by requiring a one-time password in addition to your standard username and password. This protects against password guessing and phishing attacks, and is a general security best practice. In the Users tab (Account > Settings > Users), toggle on the option to Require two-step authentication for all users. Users will then be required to configure multi-factor authentication for their account if they have not done so already.

Additional Resources

Was this article helpful?
7 out of 15 found this helpful