Question
How can I best secure my Vonage API account?
Applies To
Account Dashboard
Password & API Secret
Multi-Factor Authentication (MFA)
IP Whitelisting
Fraud Defender
Security
Answer
Vonage provides several built-in security features to help protect your account. However, using these features alone may not be sufficient to prevent a compromise. This article describes the key security controls available to you and the best practices you should follow to keep your Vonage API account secure.
1. Authentication
Passwords and Secrets
Your password is the first line of defense for your account. Vonage recommends configuring a password that is:
At least 12 characters long
Contains both upper- and lower-case letters
Includes numbers and at least one special character
This applies to both primary and any secondary accounts. You can update your password on the Change Password page.
When interacting with Vonage API services, each API request must also be authenticated. There are several authentication methods available — including request signing and API secret-based authentication.
Both the API secret and signature secret function like passwords, so the same rules apply. Vonage recommends using secrets that are:
At least 20 characters long
Contain both upper- and lower-case letters, at least one number, and special characters where allowed
You can manage your secrets via the Settings page of the Dashboard.
Multi-Factor Authentication (MFA)
MFA is now mandatory for all Vonage API accounts and cannot be disabled via the Dashboard. MFA significantly reduces the risk of account compromise by requiring a second form of verification at login. Even if an attacker obtains your password, they would also need access to your MFA device to gain entry.
What you should do:
Ensure MFA is active on all sub-users, not just the primary account
Verify that the MFA notification phone number and email address are correct and belong to the legitimate account owner — attackers may attempt to change these to intercept verification codes
Consider switching from SMS/WhatsApp 2FA to an Authenticator App (TOTP) for stronger protection. TOTP-based authentication is not vulnerable to SIM swap attacks or SMS interception
If you believe your MFA settings have been tampered with, contact Vonage Support immediately — re-enabling or modifying MFA requires a Vonage Support action and cannot be done via self-service.
2. Protecting Your Credentials
Do Not Expose Your Secrets
Sharing or exposing your credentials can lead to account compromise and fraud. Keep the following in mind:
Vonage will never ask for your secrets — not even when you contact support. If anyone claiming to represent Vonage asks for your API secret, signature secret, or password, treat it as a phishing attempt.
Do not commit secrets to public code repositories (e.g., GitHub). Attackers actively scan public repositories for exposed credentials. Before committing any code, ensure no secrets are present in any files.
Do not hardcode secrets in mobile applications. It is relatively straightforward to extract hardcoded credentials from mobile apps through reverse engineering, even if obfuscated. If you need to empower mobile applications to perform actions on your account, use only Vonage API services that support JWT-based authentication.
Handle credentials securely in your applications. Avoid storing secrets in world-readable files, sharing them with untrusted services, or accidentally exposing them via logs or error messages. For guidance on secure application design, refer to the OWASP Top 10 Project.
Encrypted Communication
Strong passwords are only effective if the communication between your systems and Vonage is encrypted. Vonage API services are accessible via HTTPS to ensure encrypted communication, and our certificates are issued by a trusted third-party provider.
If your browser or library raises any certificate-related warnings, do not proceed with authentication until you have investigated and resolved the issue.
Request Signing
If you use a proxy server (internal or third-party), your API secret may be logged in clear text when using traditional API key and secret-based authentication. Signed requests address this by removing the API secret from the request entirely — only a signature derived from the secret is transmitted.
Benefits of request signing:
Protects your API secret from being exposed in transit
Provides integrity protection against request tampering
Protects against replay attacks
Vonage recommends using SHA-256 HMAC or SHA-512 HMAC as the signature algorithm. You can configure your signature secret and algorithm via the Settings page.
3. Access Control
IP Whitelisting
Vonage supports IP Whitelisting to help restrict API access to only your known server or application IP addresses. This means that even if your API credentials are stolen, an attacker cannot use them from an unknown IP address — the call will be rejected at the API Gateway level.
To enable IP Whitelisting on your account, please contact Vonage Support.
Secondary Users
The Dashboard allows you to create secondary users. When adding a new secondary user, double-check the email address carefully — a mistyped address could expose your account to unintended parties. Regularly audit your secondary users and remove any accounts that are no longer needed or were not created by you.
Vonage Applications (JWT Authentication)
If you use Vonage Applications (Application ID + Private Key for JWT-based authentication), be aware that rotating your API secret alone is not sufficient to fully secure a compromised account. An attacker with access to a Vonage Application's private key can continue making API calls via JWT authentication even after the API secret is rotated.
If you suspect your Vonage Applications have been compromised, delete and recreate them immediately.
4. Monitoring & Fraud Prevention
Low Balance Notifications
Enable the Low Balance Notification in your Dashboard Billing settings and set a meaningful threshold. This ensures you are alerted early if fraudulent traffic is draining your account balance.
The low balance alert fires only once per balance drop event. If you have recently experienced a fraud incident, consider raising the threshold temporarily to ensure you receive timely alerts going forward.
Also verify that the notification email address is correct and belongs to the legitimate account owner — attackers may attempt to change this to conceal fraudulent spend.
Autoreload
If you have autoreload enabled with a linked payment method, be aware that an attacker can continuously drain your balance — the account will keep topping up automatically as fraudulent traffic burns through it.
Recommendation: If you suspect your account has been compromised, disable autoreload immediately as a containment measure. You can re-enable it once your account is fully secured.
Vonage Fraud Defender
Vonage Fraud Defender is a built-in fraud protection tool that helps detect and block abnormal traffic patterns in real time. We strongly recommend enabling it, especially if your account sends high volumes of SMS or voice traffic.
Recommended setup:
Tier |
Cost |
What to Configure |
|---|---|---|
Standard |
Free |
Enable Volumetric Fraud Alerts; set Alert Actions to "Block" or "Notify"; configure Traffic Rules to block countries/prefixes you don't do business with |
Advanced |
$44/month |
+ Enable AIT Protection (Standard level recommended to minimise false positives); enable SMS Burst Protection |
Premium |
$220/month |
+ Configure Custom Alerts; use Trusted Numbers to prevent false positives |
Note: SMS AIT Protection is disabled by default and must be explicitly enabled. Volumetric alerts require a minimum traffic threshold to trigger — low-volume accounts may not benefit from this feature.
5. Secure Application Design
Webhooks
Webhooks can expose sensitive information if not configured properly. Always:
Use HTTPS URLs for all webhook endpoints to ensure encrypted delivery
Configure webhooks to use POST requests — proxies are less likely to log POST body content compared to query parameters
You can configure your webhook URLs via the Settings page.
Application Security Reviews
It is good practice to have your application or service reviewed by a qualified, reputable third-party security provider — both before going to production and after significant changes are made. This helps identify vulnerabilities that could negatively impact your business before they are exploited.
6. What to Do If You Suspect a Compromise
If you believe your account has been compromised, take the following steps immediately:
Rotate all credentials — API secret, signature secret, and Dashboard password
Delete and recreate any Vonage Applications that may have been accessed
Remove any unauthorized secondary users from your account
Disable autoreload to prevent further financial loss
Verify your MFA settings — confirm the notification phone number and email have not been changed
Enable IP Whitelisting to restrict API access to known IPs only
Enable Fraud Defender to monitor and block abnormal traffic going forward
Contact Vonage Support immediately by raising a support ticket — our team will assist you with the investigation and recovery process
Articles in this section
- How can I get a Vonage SOC Type II Report
- Which IP addresses should I allow when using Communication APIs and SIP Trunking?
- An Existing Connection Was Forcibly Closed by the Remote Host
- How can I download my Vonage API account data?
- How long does Vonage API store data?
- Best Security Practices for Your Vonage API Account