Safeguarding your PII in API requests
September 2022
To safeguard your Personal Identifiable Information (PII) in API requests, we are removing the ability to submit PII as query string parameters by October 15, 2022.
BILL PII includes (but is not limited to) userName
, password
, devKey
, and sessionId
.
PII is not safe as query string parameters
URLs are commonly stored in browser histories and server logs. In an API request, sending sensitive information with query string parameters is not safe.
If an attacker has access to a URL that includes query string parameters, they may have access to the PII.
Example: PII as query string parameters is NOT safe
https://api.bill.com/api/v2/Login.json?userName={username}&password={password}&orgId={organization_ID}&devKey={developer_key}
Submit PII only in the request body
After October 15, 2022, you will not be able to submit PII as query string parameters.
Update your code to set PII in the request body. To sign in to your BILL sandbox developer account and create an API session, set all PII in the request body.
Example: PII in the request body is safe
curl --request POST 'https://api.bill.com/api/v2/Login.json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'userName={username}' \
--data 'password={password}' \
--data 'orgId={organization_ID}' \
--data 'devKey={developer_key}'
See API request format and Development environments for more information.
Updated 4 months ago