diff --git a/apiserver/.gitignore b/apiserver/.gitignore
index 5b8252a..8380732 100644
--- a/apiserver/.gitignore
+++ b/apiserver/.gitignore
@@ -110,3 +110,4 @@ migrations/
 data/
 old_photos/
 old_paypal/
+secrets.py
diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 01d6269..3a29f4c 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -277,8 +277,8 @@ class DoorViewSet(viewsets.ViewSet, List):
 
 
 
-class IpnViewSet(viewsets.ViewSet, Create):
-    def create(self, request):
+class IpnView(views.APIView):
+    def post(self, request):
         try:
             utils_paypal.process_paypal_ipn(request.data)
         except BaseException as e:
diff --git a/apiserver/apiserver/secrets.py.example b/apiserver/apiserver/secrets.py.example
new file mode 100644
index 0000000..701428b
--- /dev/null
+++ b/apiserver/apiserver/secrets.py.example
@@ -0,0 +1,6 @@
+# Spaceport secrets file, don't commit to version control!
+
+# Set this to random characters so the PayPal IPN POST route is unguessable
+# For example, use the output of this:
+# head /dev/urandom | md5sum
+IPN_RANDOM = ''
diff --git a/apiserver/apiserver/urls.py b/apiserver/apiserver/urls.py
index 8279fb3..4b37c04 100644
--- a/apiserver/apiserver/urls.py
+++ b/apiserver/apiserver/urls.py
@@ -4,9 +4,12 @@ from django.urls import include, path
 from rest_framework import routers
 
 from .api import views
+from . import secrets
+
+IPN_ROUTE = r'^ipn/{}/'.format(secrets.IPN_RANDOM)
+print('IPN route is:', '/'+IPN_ROUTE[1:])
 
 router = routers.DefaultRouter()
-router.register(r'ipn', views.IpnViewSet, basename='ipn')
 router.register(r'door', views.DoorViewSet, basename='door')
 router.register(r'cards', views.CardViewSet, basename='card')
 router.register(r'search', views.SearchViewSet, basename='search')
@@ -26,4 +29,5 @@ urlpatterns = [
     url(r'^registration/', views.RegistrationView.as_view(), name='rest_name_register'),
     url(r'^password/change/', views.PasswordChangeView.as_view(), name='rest_password_change'),
     url(r'^user/', views.UserView.as_view(), name='user'),
+    url(IPN_ROUTE, views.IpnView.as_view(), name='ipn'),
 ]
diff --git a/apiserver/docs/source/dev.rst b/apiserver/docs/source/dev.rst
index c664ff3..17b9e12 100644
--- a/apiserver/docs/source/dev.rst
+++ b/apiserver/docs/source/dev.rst
@@ -39,6 +39,8 @@ Create a venv, activate it, and install:
     $ source env/bin/activate
     (env) $ pip install -r requirements.txt
 
+Edit ``apiserver/secrets.py.example`` and save it as ``apiserver/secrets.py``.
+
 Now setup Django and run it:
 
 .. sourcecode:: bash