close

Welcome to Playflick


Playflick is now live — a new space to discover, watch, share, and enjoy videos. Create your account, explore fresh content, follow creators, and start building your own watch experience today.

API Keys, Webhooks & Developer Security Policy

Effective Date: 2026

Last Updated: 2026

This API Keys, Webhooks & Developer Security Policy explains how Playflick may manage API keys, access tokens, refresh tokens, client secrets, webhook endpoints, webhook signing secrets, callback URLs, developer credentials, application security, leaked credentials, rate abuse, integration security, and related developer-security features connected to Playflick.com, operated by Playflick™ Media .ltd.

This policy should be read together with our Terms of Service, Privacy Policy, API & Developer Terms, Security Policy & Responsible Disclosure, Domain Whitelisting, Referrer & Embed Security Policy, Third-Party Services Policy, Data Retention Policy, and Account Suspension & Termination Policy.

1. Who We Are

Operator: Playflick™ Media .ltd

Website: https://playflick.com

Business Address:
41 Norman Avenue
London
N22 5ES
United Kingdom

Developer Security Support Email: hello@playflick.com
Contact Page: https://playflick.com/contact-us

2. Purpose of This Policy

API keys, webhooks, tokens, and developer integrations can provide powerful access to Playflick data, account features, creator tools, analytics, embeds, payments, notifications, and platform services. These tools must be handled securely.

This policy explains:

  • How API keys, tokens, and developer credentials should be protected
  • How webhooks and callback URLs should be configured safely
  • What developers must do if credentials are leaked or compromised
  • What API and webhook abuse is prohibited
  • How Playflick may restrict, rotate, revoke, or disable developer access
  • How users may report developer security concerns

3. Feature Availability

API keys, webhooks, callback URLs, signing secrets, developer dashboards, app registrations, OAuth tools, access tokens, refresh tokens, audit logs, test environments, sandbox tools, and related developer features may not be available to every user, country, account type, business, creator, partner, plan, or integration.

Playflick may add, remove, restrict, redesign, suspend, or discontinue API key, webhook, and developer security features at any time.

4. API Keys and Developer Credentials

Playflick may issue API keys, client IDs, client secrets, access tokens, refresh tokens, signing secrets, or other credentials where developer features are available.

Developer credentials may be used to:

  • Authenticate API requests
  • Identify applications
  • Authorize integrations
  • Access permitted data
  • Receive webhooks
  • Use widgets or embeds
  • Connect third-party services
  • Manage approved developer workflows

5. Protecting API Keys and Secrets

Developers are responsible for protecting API keys, secrets, tokens, and credentials.

Developers must not:

  • Publish API keys in public code repositories
  • Expose secrets in client-side code
  • Share private keys in support tickets unnecessarily
  • Send secrets through insecure channels
  • Store credentials without appropriate security
  • Use one key across unrelated applications unnecessarily
  • Leave unused credentials active

6. Public vs Private Credentials

Some identifiers may be intended for public use, while secrets and tokens must be kept private.

Developers should carefully distinguish between:

  • Public client IDs
  • Private client secrets
  • Publishable keys
  • Secret keys
  • Access tokens
  • Refresh tokens
  • Webhook signing secrets
  • Session or playback tokens

If a credential is unclear, developers should treat it as private unless Playflick states otherwise.

7. Token Storage

Developers should store tokens and secrets securely.

Secure storage practices may include:

  • Using server-side storage for secrets
  • Using environment variables or secret managers
  • Encrypting sensitive credentials where appropriate
  • Restricting staff access
  • Rotating credentials regularly
  • Deleting unused credentials
  • Avoiding logs that contain tokens or secrets

8. Webhooks

Playflick may provide webhooks where available to notify developers about events.

Webhook events may relate to:

  • Account changes
  • Creator uploads
  • Content processing
  • Payment or payout events where supported
  • Subscription events where supported
  • Moderation events where supported
  • API integration events
  • Developer app status events

9. Webhook Endpoint Security

Developers are responsible for securing webhook endpoints.

Developers should:

  • Use HTTPS
  • Verify webhook signatures where available
  • Validate event payloads
  • Protect endpoints from unauthorised requests
  • Avoid exposing secrets in URLs
  • Implement replay protection where available
  • Log safely without storing sensitive data unnecessarily

10. Webhook Signing Secrets

Webhook signing secrets must be protected like passwords.

Developers must not publish, share, hard-code, leak, or expose webhook signing secrets.

Playflick may rotate, revoke, or require regeneration of signing secrets where security, fraud, abuse, or platform integrity concerns apply.

11. Callback URLs and Redirect URIs

Developers may need to configure callback URLs, redirect URIs, or return URLs for authentication, account linking, payment flows, or integration workflows.

Developers must ensure callback URLs are accurate, secure, and controlled by them.

Callback URLs must not redirect users to phishing pages, malware, scam sites, fake login pages, or unauthorised third-party destinations.

12. OAuth and User Authorisation

Where Playflick supports OAuth or similar authorisation systems, developers must request only the access they need and must clearly explain their integration where required.

Developers must not:

  • Misrepresent the application requesting access
  • Trick users into granting permissions
  • Use permissions for unrelated purposes
  • Access data beyond authorised scopes
  • Store user data longer than permitted
  • Bypass user revocation or consent controls

13. Least-Privilege Access

Developers should use the minimum permissions, scopes, keys, and data access needed for their intended integration.

Applications should not request broad permissions where limited permissions are sufficient.

Playflick may restrict or reject integrations that request excessive access.

14. Rate Limits and Abuse Prevention

Playflick may apply rate limits, quotas, throttling, request limits, payload limits, webhook delivery limits, or other controls to protect the platform.

Developers must not bypass or evade rate limits.

Prohibited conduct may include:

  • Rotating keys to evade limits
  • Using multiple accounts to bypass quotas
  • Sending excessive webhook retries
  • Scraping beyond permitted access
  • Overloading endpoints intentionally
  • Using APIs for spam, fraud, or abuse

15. Logging and Sensitive Data

Developers should avoid logging sensitive Playflick data unnecessarily.

Logs should not unnecessarily contain:

  • API keys
  • Access tokens
  • Refresh tokens
  • Webhook signing secrets
  • Payment details
  • Private user data
  • Private messages
  • Security codes or session data

16. Leaked or Compromised Credentials

Developers must act quickly if API keys, secrets, tokens, webhook secrets, private keys, or credentials are leaked, exposed, stolen, or suspected to be compromised.

Developers should:

  • Revoke or rotate affected credentials
  • Review application logs
  • Check for unauthorised activity
  • Remove exposed secrets from public locations
  • Notify Playflick where appropriate
  • Notify affected users where legally required
  • Improve storage and deployment controls

17. Playflick Credential Rotation

Playflick may rotate, revoke, suspend, or disable credentials where necessary.

Reasons may include:

  • Credential leak
  • Suspected compromise
  • API abuse
  • Webhook abuse
  • Fraud signals
  • Security vulnerability
  • Developer account risk
  • Legal or rights concerns

18. Third-Party Integrations

Developers connecting Playflick to third-party services are responsible for ensuring those services are secure, lawful, and appropriate for the intended use.

Developers must not send Playflick data to third parties in violation of Playflick policies, user permissions, privacy requirements, contracts, or applicable law.

19. Application Security

Developers should maintain reasonable security for applications using Playflick tools.

Security practices may include:

  • Secure authentication
  • Access controls
  • Input validation
  • Secure dependency management
  • Patch management
  • Monitoring and alerting
  • Incident response plans
  • Secure backup and recovery processes

20. Prohibited Developer Security Conduct

Developers must not misuse Playflick API keys, webhooks, tokens, or developer tools.

Prohibited conduct may include:

  • Building fake Playflick login pages
  • Stealing tokens or credentials
  • Using APIs for spam or scraping outside permitted access
  • Forging webhook events
  • Replay-attacking webhook payloads
  • Using leaked keys
  • Bypassing access controls
  • Impersonating Playflick systems or staff

21. Security Testing

Developers and security researchers must not test, scan, probe, exploit, or attack Playflick systems except as permitted by Playflick’s Security Policy & Responsible Disclosure.

Security testing must not harm users, compromise data, interrupt service, access private information, or bypass permissions.

22. Child Safety

APIs, webhooks, integrations, and developer tools must not be used to exploit, sexualise, identify, harass, groom, manipulate, or endanger children or young users.

Developers must not build tools that facilitate unsafe contact with children, bypass child-safety controls, expose child data unlawfully, or promote exploitative content.

Serious child-safety concerns may result in immediate access restriction and reporting where appropriate or required.

23. Reports and Support

Users, developers, creators, security researchers, partners, rights holders, or viewers may contact Playflick about leaked keys, suspicious API activity, webhook abuse, fake integrations, unsafe callback URLs, developer security issues, or suspected credential compromise.

Contact:

Email: hello@playflick.com
Contact Page: https://playflick.com/contact-us

Please include:

  • The app, API key, webhook, integration, developer account, domain, or URL involved
  • A clear explanation of the issue
  • Any screenshots, timestamps, logs with secrets removed, request IDs, or supporting context
  • Whether the issue involves child safety, payment, rights, privacy, phishing, malware, or legal concerns

Do not send passwords, full payment card numbers, API secrets, private keys, webhook signing secrets, parental PINs, or one-time login codes.

24. Enforcement

Playflick may take action where API keys, webhooks, tokens, developer credentials, callback URLs, applications, integrations, or related features are abused or affected by security concerns.

Enforcement may include:

  • Revoking API keys
  • Rotating secrets
  • Disabling webhooks
  • Restricting callback URLs
  • Restricting developer apps
  • Restricting API access
  • Throttling or blocking requests
  • Suspending developer accounts
  • Restricting accounts involved in abuse
  • Preserving records for legal, safety, fraud, rights, payment, developer, or security reasons

25. Appeals and Review Requests

If your API key, webhook, developer app, callback URL, token, account, or related feature was removed or restricted and you believe Playflick made a mistake, you may request a review under our Appeals Policy where available.

Contact:

Email: hello@playflick.com

Please include:

  • Your developer account email where relevant
  • The app, API key, webhook, integration, callback URL, or feature involved
  • The decision you are asking Playflick to review
  • Why you believe the decision was incorrect
  • Any supporting screenshots, timestamps, technical context, or relevant details

Do not send passwords, full payment card numbers, API secrets, private keys, webhook signing secrets, parental PINs, or one-time login codes.

26. Privacy and Data Retention

Playflick may process and retain API key records, token records, webhook records, callback URL records, developer app records, access logs, request logs, security logs, integration records, support messages, review records, fraud signals, safety records, payment records, rights records, developer records, and enforcement records.

These records may be retained for platform operation, developer support, security, abuse prevention, child safety, payment protection, rights protection, legal compliance, moderation, appeals, audits, fraud prevention, and platform integrity.

More information is available in our Privacy Policy, Cookie Policy, Data Retention Policy, and Evidence Preservation Policy.

27. Changes to This Policy

We may update this API Keys, Webhooks & Developer Security Policy from time to time.

Changes may reflect new API tools, webhook systems, authentication systems, developer security controls, privacy controls, rights controls, legal requirements, safety requirements, or platform updates.

Your continued use of Playflick API keys, webhooks, tokens, or developer security features after changes become effective means you agree to the updated policy.

28. Contact Us

For API key questions, webhook security concerns, developer credential issues, callback URL problems, leaked key reports, review requests, or policy enquiries, contact:

Playflick™ Media .ltd
41 Norman Avenue
London
N22 5ES
United Kingdom

Developer Security Support Email: hello@playflick.com
Contact Page: https://playflick.com/contact-us
Website: https://playflick.com

29. Footer Notice

© 2026 Playflick™ Media .ltd. All rights reserved.
Playflick™ is a trademark of Playflick™ Media .ltd.