Safeguarding your PII in API requests

September 2022

To safeguard your Personal Identifiable Information (PII) in API requests, we are removing the ability to submit PII as query string parameters by October 15, 2022.

BILL PII includes (but is not limited to) userName, password, devKey, and sessionId.

PII is not safe as query string parameters

URLs are commonly stored in browser histories and server logs. In an API request, sending sensitive information with query string parameters is not safe.

If an attacker has access to a URL that includes query string parameters, they may have access to the PII.

Example: PII as query string parameters is NOT safe{username}&password={password}&orgId={organization_ID}&devKey={developer_key}

Submit PII only in the request body

After October 15, 2022, you will not be able to submit PII as query string parameters.

Update your code to set PII in the request body. To sign in to your BILL sandbox developer account and create an API session, set all PII in the request body.

Example: PII in the request body is safe

curl --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'userName={username}' \
--data 'password={password}' \
--data 'orgId={organization_ID}' \
--data 'devKey={developer_key}'

See API request format and Development environments for more information.