API Key Exposure occurs when API keys, tokens, or credentials are inadvertently revealed in public locations such as source code repositories, client-side code, logs, or documentation, allowing unauthorized access to APIs and services.
Common Exposure Locations
- Git repositories: Committed credentials in code or config files
- Client-side code: API keys embedded in JavaScript
- Mobile apps: Keys in APK/IPA files
- Public documentation: Examples with real keys
- Log files: Keys logged in requests or errors
- Error messages: Stack traces revealing configuration
Discovery Methods
# Git history search
git log -p | grep -i "api_key\|secret\|password"
# GitHub/GitLab search
"api_key" org:company extension:js
"AWS_SECRET" filename:.env
# Common patterns to search for
API_KEY=
SECRET_KEY=
PRIVATE_KEY=
aws_secret_access_key
-----BEGIN RSA PRIVATE KEY-----
Impact by Key Type
- AWS keys: Full cloud account access, data breach, cryptomining
- Database credentials: Direct database access
- Payment API keys: Financial fraud
- OAuth secrets: Account impersonation
- Private signing keys: JWT forgery, code signing abuse
Prevention
- Use environment variables, not hardcoded keys
- Implement secret scanning in CI/CD
- Use secrets management (Vault, AWS Secrets Manager)
- Rotate keys regularly and after exposure
- Restrict key permissions to minimum required
See Also