# Why does my API key have limited access?

Stripe may automatically limit the access of an API key that hasn't been used for certain money movement operations in 180 days. This is a proactive security measure to protect your account from unauthorized money movement if your key is ever compromised.
If your secret API key hasn't been used to create manual payouts or transfers, or update payout destinations in over 180 days, Stripe removes the key's ability to perform those specific actions. **No action is required on your part.** Limiting the key's capabilities adds a layer of protection from unauthorized actions on your account.
Your key's access to other Stripe API functions remains the same. Your key continues to work normally for charges, refunds, customer management, and every other Stripe API endpoint.
Implicit transfers, such as those created automatically by Stripe as part of routine payment flows, are also unaffected. In addition, automatic payouts are also unaffected.
## Which API endpoints are restricted?
When a key has limited access, Stripe blocks it from calling the following endpoints:
| Action                            | Endpoint                                  |
| --------------------------------- | ----------------------------------------- |
| Create a payout                   | `POST /v1/payouts`                        |
| Cancel a payout                   | `POST /v1/payouts/:id/cancel`             |
| Reverse a payout                  | `POST /v1/payouts/:id/reverse`            |
| Create a transfer                 | `POST /v1/transfers`                      |
| Reverse a transfer                | `POST /v1/transfers/:id/reversals`        |
| Add or update an external account | `POST /v1/accounts/:id/external_accounts` |
If you attempt to use a limited key for one of these actions, the API returns an `invalid_request_error`, indicating that the key's access has been limited.
## Restoring full access
If you need to use one of the restricted endpoints, restore your key's full access directly from the Dashboard. See [how to restore an API key's access](https://docs.stripe.com/keys#restore-access).
## Recommended security practices
Whether or not you restore your key's access, we recommend following the [best practices for managing API keys](https://docs.stripe.com/keys-best-practices). This includes:
- **Use restricted keys.** Rather than using your secret key, create [restricted API keys](https://docs.stripe.com/keys#limit-access) scoped only to the specific permissions your integration requires. Using a restricted access key allows you to follow the principle of least privilege and limits exposure if a key is ever compromised.
- **Set up IP address restrictions.** [Restrict API keys to specific IP addresses](https://docs.stripe.com/keys#limit-access), ensuring they can only be used from your known servers.