I noticed that a GET on a notification feed responds with a next attribute containing the API key. Not the secret, just the API key.
I'm curious whether this is safe to expose to an end user?
Example:
"next": "/api/v1.0/feed/notification/user8/?id_lt=8a4ba960-76fc-11e7-8080-800139637857&api_key=blahblahblahblah&limit=1&location=unspecified&offset=0"
The data payload you send to any of our API endpoints is encoded using your API secret into a JSON Web Token payload in the header for most calls. And guessing your very long API secret to properly encode anything would take an awfully long time, so yes we feel it's safe.
Also, you cannot log into the dashboard using your API credentials in any way so your billing information is safe (we still recommend turning on two-factor authentication in the dashboard though)