Afterpay API Key
Service Name: Afterpay (now known as Block, formerly Square)
Service Description: Afterpay is a "buy now, pay later" service that allows customers to make purchases and pay for them in four installments, with the first payment due at the time of purchase. Merchants integrate Afterpay into their checkout process to offer this payment option to customers.
Service Address: https://www.afterpay.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured in the Afterpay merchant portal under API settings.
Secret Access Scope: Grants access to Afterpay's merchant API, allowing integration with e-commerce platforms, processing of payments, refunds, and access to transaction data.
Secret Revokement URL: https://developer.afterpay.com/afterpay-online/docs/managing-api-keys
Secret Example: ap_test_YourMerchantId_YourSecretKey123456789abcdefghijklmnopqrstuvwxyz
Suspicious Activity Investigation Instructions:
-
Review the Afterpay merchant portal for unusual transaction patterns or unauthorized refunds.
-
Check API logs for unexpected API calls or access from unusual locations.
-
Monitor for changes in payment processing configurations or webhook endpoints.
-
Verify that transaction volumes and amounts align with expected business patterns.
-
Look for any unauthorized changes to payment terms or customer payment schedules.
Mitigation Instructions:
-
Log in to your Afterpay merchant account.
-
Navigate to the API settings or Developer section.
-
Locate the compromised API key and click "Revoke" or "Delete".
-
Generate a new API key to replace the compromised one.
-
Update the API key in all legitimate integrations and applications.
-
Review and update IP restrictions for API access if available.
-
Enable additional security measures such as two-factor authentication for your merchant account.
-
Audit all recent transactions processed with the compromised key for potential fraud.