API Key Exposure

API Key Exposure occurs when API keys, tokens, or credentials are inadvertently revealed in public locations such as source code repositories, client-side code, logs, or documentation, allowing unauthorized access to APIs and services.

Common Exposure Locations

• Git repositories: Committed credentials in code or config files
• Client-side code: API keys embedded in JavaScript
• Mobile apps: Keys in APK/IPA files
• Public documentation: Examples with real keys
• Log files: Keys logged in requests or errors
• Error messages: Stack traces revealing configuration

Discovery Methods

# Git history search
git log -p | grep -i "api_key\|secret\|password"

# GitHub/GitLab search
"api_key" org:company extension:js
"AWS_SECRET" filename:.env

# Common patterns to search for
API_KEY=
SECRET_KEY=
PRIVATE_KEY=
aws_secret_access_key
-----BEGIN RSA PRIVATE KEY-----

Impact by Key Type

• AWS keys: Full cloud account access, data breach, cryptomining
• Database credentials: Direct database access
• Payment API keys: Financial fraud
• OAuth secrets: Account impersonation
• Private signing keys: JWT forgery, code signing abuse

Prevention

• Use environment variables, not hardcoded keys
• Implement secret scanning in CI/CD
• Use secrets management (Vault, AWS Secrets Manager)
• Rotate keys regularly and after exposure
• Restrict key permissions to minimum required

See Also

• GraphQL Introspection
• Google Dorking