All request made to Capture are authenticated using your API key and a unique hash. API key is used to identify the account that is making the request and the hash is used to validate the request.
Every request is made secure by verifying the hash you generate while making the request. The hash can be generated only by knowing the API secret which has to be kept private and should not be shared with anyone. So it is not possible for anyone to make another request using your API keys as long as the person doesn't have access to the API secret.
If your API credentials are compromised you need to immediately contact Capture support so that we can assist you.