How to keep your account secure

Last updated at:

You will learn

Learn how to make sure your Klaviyo account and data are as secure as possible.

Configuring your communication and assigning roles correctly is critical, especially when there's increased traffic to your site and messaging from your brand.

Before you begin

There are 2 crucial security checkups to review:

  1. Public versus private API key security checkup
  2. User review and access checkup

Public vs. private API key security checkup

To access your account’s API keys:

  1. Click your organization name in the bottom left corner.
  2. Select Settings > API Keys

Your public key, also caled your site ID, is in the table in the first section of this page, whereas your private keys are listed in the second table labeled Private API Keys.

  • Public API key
    An API you can share with others so that they can get certain information from your API. Your public API key is your account identifier. Use your public API key, and not your private API key, when configuring and using the Klaviyo JavaScript library.
  • Private API key
    An API key that reads data and manipulates sensitive objects (e.g., lists in Klaviyo). It’s important to keep private API keys private. Treat them like passwords, kept in a safe place and never exposed to the public., 
    In Klaviyo, private API keys all start with the prefix “pk_” and are followed by 34 alphanumeric characters. For example, a private key will look something like: pk_abc123def456ghi789jkl0mno123pqrst4.


Why can't you use private API keys in place of public API keys?

Accidentally using a private API key instead of a public one can lead to abuse of your account if a malicious actor finds the private key. If you use the wrong API key within your JavaScript, you will also not be able to successfully collect or utilize the applicable data.

Verify that the Klaviyo JavaScript uses your public API key

Klaviyo requires your public API key when downloading the klaviyo.js JavasScript file. This allows the JavaScript to properly associate customer and visitor data with your company. To accomplish this, the company_id should be set to your public API key when referencing the JavaScript.

To verify that you’re using the public API key, view the line of code in your HTML that references the JavaScript. 

To do so:

  1. Open your website.
  2. Right click and select View Page Source.
  3. When the new page opens, select Edit > Find > Find... and search for "pk_".
  4. Inspect the value located at “API_KEY” below to ensure that it is your public API key (i.e., site ID):
    script async type=”text/javascript” src=”//
      klaviyo.js?company_id=API_KEY” ></script>


  5. Make sure that your private key is not used as a company_id, "token" value, or, in rare cases, account value.

  6. If it uses a private API key (value starts with “pk_”), review the section below on what to do if your private API key was exposed.


Verify that you use your public key to call the action, identify, or track APIs

If you only use the _learnq object that’s automatically added by the Klaviyo JavaScript and have verified that this is configured correctly, then you are using your public API key.

When developing an application or integration that directly calls the following APIs, you must use your public API key:

To verify this: 

  1. Review the token value and check if it uses your public API key.
  2. If the token value begins with “pk_” then you’re using your private key and need to review the section below on what to do if your private API Key was exposed.
  3. Review how the data passed to the API is created and verify that the token value is set to your public API key within the JSON data blob. Below is an example of JSON structure:
    "token" : "PUBLIC_API_KEY",
    "properties" : {
    "$email" : "",
    "$first_name" : "Thomas",
    "$last_name" : "Jefferson",
    "Plan" : "Premium",
    "SignUpDate" : "2016-05-01 10:10:00" }

What to do if your private API key was exposed

If your private API key was used instead of your public API key:

  1. Record the private API key (you will need that later) and replace it with your public API key. This will allow your code to work as expected within the Klaviyo platform.
  2. Delete and replace the exposed key in order to protect your company and customer data from unauthorized exposure.
  3. Identify all integrations and applications you may have. This includes commercial integrations and custom code.
  4. For each integration and application that uses an exposed private API key, create a new key in your account settings by selecting Create API Key.
  5. Give the key a meaningful label for quick identification as well as a specific scope. 
  6. After you create a unique private API key for each integration, update the integration(s) with the new private API key.
  7. Once all integrations that used the exposed key have been updated, hover over the exposed key and then click Delete.
    • Be careful to select the correct key to delete, as there is no verification when the delete button is selected.

Once deleted, you will have protected your data from unauthorized access via the exposed private key.

For more information on API key security, head to Manage Your Accounts API Keys.

User management and data access checkup

It is important to understand who has access to different features and information in your account. To see all users who have access to your account:

  1. Head to your organization name in lower left corner 
  2. Select Settings 
    Users tab under Settings

Periodically reviewing the users within your account and their access level is an important security activity. There are three activities that will help secure your account:

  • User Review
    Review all users in your account and identify any who longer requires access. Delete any users that should no longer be active by selecting the X next to their email.Common reasons for removing access include:
    • Role change within the company
    • Termination of an employee
    • Contract expiration of a third-party vendor.
  • Role Review
    Ensure that each user has appropriate permissions and can only access the data and functionality that is required to execute their job. For information around what user roles have access to, head to User management and privileges.
  • Two-Step Authentication
    Two-step authentication adds an additional layer of security for your account by requiring a one-time password in addition to your standard username and password. This protects against password guessing and phishing attacks, and is a general security best practice. In the Users tab (Settings > Users), toggle on the option to Require two-step authentication for all users. Users will then be required to configure multi-factor authentication for their account if they have not done so already.

Additional resources

Was this article helpful?
10 out of 23 found this helpful