Support

July 26, 2023 at 6:53 pm

HEllo,

I received this email from mailchimp (see below) advising of an update to their api which will impact my integration. Can someone please help me figure out if I am passing api keys in query parameters for api authentication?

MAIL CHIMP EMAIL
We’re writing to let you know about a change that we’re making to our API that will affect an integration you use. We want you to know more about this change and how it may impact you, as well as next steps you should take.

What’s changing
On August 8, we will stop allowing integrations to pass API keys in query parameters for API authentication.

For context, you can think of an API as a way for different apps to talk to one another. You send and receive data between apps using API requests and responses. An API key is a unique series of characters—similar to a password—that’s included in a request to verify that the requesting system is allowed to communicate with the receiving system. For this reason, it is very important to maintain best security practices with API keys.

Passing keys in query parameters poses a security risk because the API key can be stored in your browser history, which could give unauthorized access to the API key if someone uses your computer or otherwise has access to your browser history.

What you need to do
Before August 8, you’ll need to ensure all integrations in your account don’t pass API keys through query parameters. Below is the API key(s) used to connect to an affected integration. For security reasons, we can only provide the first 4 characters of your API key.

API key(s): dcf0

You can find your API key in your account. Sometimes, the API key will include a label to describe which integration is associated with that API key. If you’re unsure which integration is associated with an API key, you or a developer will need to review any integrations connected to your Mailchimp account to determine which uses the API key.

If you use a custom integration
Before August 8, you or your developer will need to ensure your custom integration is updated to use HTTP basic authentication or bearer authentication.

If you do not update your integration, you will get a 401 error with the title “API Key Invalid,” and message, “Your request did not include an API key,” when trying to authenticate an action by sending an API key in query parameters

If you use another company’s integration
After you know the integration that uses the API key, check the integration’s website to see if there’s an updated version of the integration that fixes this issue. If you can’t determine this, reach out to the integration’s developer to check.

You can also consider switching to a different integration. Our integrations directory is a good place to find alternative integrations, or you can hire a Mailchimp partner to help create a custom solution to meet your needs.

We appreciate your understanding as we make these changes to align with best security practices for our customers. If you have any questions, please use one of our support options and we’ll be happy to help.

– Mailchimp