API Key Leak Detection

API Key Format

Zuplo uses a specially formatted API Key structure that allows us to partner with GitHub's secret scanning to protect your users from accidentally leaked keys.

We think the safety of your API key consumers is paramount, so this feature is available to all Zuplo customers, including free.

API Key Leak Detection

API keys should never be stored in source control. Accidentally committing API keys to source control is a common attack vector that leads to compromises of organizations both large and small.

Zuplo participates in GitHub's Secret Scanning program to detect if your or your customer's API Keys are checked into source control on GitHub.

If an API Key for your Zuplo API Gateway is compromised by checking it into a public or private GitHub repository, Zuplo will be notified and can take action immediately.

Leak Notifications

You will receive notifications of API Key leaks via email as well as in-app notifications. You can customize the notifications settings by going to your Profile in the Zuplo Portal.

Recommended Actions

If you receive an alert that an API Key has been leaked, we recommend taking one of the following actions immediately.

Notify Your Customer

Notify your customer and ask them to login to your Zuplo powered developer portal and instruct them to roll the API Key. This way the old key is revoked and they get a new key.

Roll the API Key

You can use the Zuplo API to roll the API Key for the consumer. This will create a new key and revoke the old key.

Code
 
export ACCOUNT_NAME="your-account-name"
export BUCKET_NAME="your-bucket-name"
export CONSUMER_NAME="your-consumer-name"
export ZUPLO_API_KEY="your-zuplo-api-key"

curl --request POST \
  --url https://dev.zuplo.com/v1/accounts/$ACCOUNT_NAME/key-buckets/$BUCKET_NAME/consumers/$CONSUMER_NAME/roll-key \
  --header 'Authorization: Bearer $ZUPLO_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '
{
  "expiresOn": "2024-01-01T00:00:00.000Z"
}
'