Is it possible for a hacker to cause damage by knowing only the Authentication token or API key?

Hi @testerphreak, since your question is a little bit unclear, I’ll provide as much context as I can. RevenueCat has three kinds of authentication tokens / API keys. 

Firstly, there are two types of API keys that you can create in the RevenueCat dashboard: public keys and secret keys.

Public API keys are intended to be used in the SDK. They can’t be used to cause any damage: they can’t be used to read sensitive information such as subscriber attributes, and the only write access that they have is to upload purchases from the SDK, but these purchases are then validated on the backend side directly with the app store (in this case, Google Play Store), and any invalid purchases that an attacker would try to post will be discarded. The only consideration, security-wise, with public API keys is that they could be used to read the entitlement status for any user ID that an attacker knows. For this reason, we recommend using non-guessable user IDs.

Secret API keys are intended to be used from your backend and should never be embedded in your SDK. They can make modifications to the subscription status (e.g., granting promotional entitlements). However, the SDK will throw an error when you try to initialize it using a secret key, so it’s unlikely that you accidentally embedded a secret API key.

The last kind of authentication token is the authentication token used by the dashboard (web application), which is stored in your browser after you log in – I don’t think you are talking about this token in this context.