Yes. You must keep your partner credentials secret. If third parties gain access to your partner token, they will be able to make calls to our API as if they were you. They could then create new users, and potentially perform actions on behalf of your existing users, which could lead to serious problems.