API Key Leak Detection
API Key Format
Zuplo uses a specially formatted API Key structure that allows us to partner with GitHub's secret scanning to protect your users from accidentally leaked keys.
We think the safety of your API key consumers is paramount, so this feature is available to all Zuplo customers, including free.
API Key Leak Detection
API keys should never be stored in source control. Accidentally committing API keys to source control is a common attack vector that leads to compromises of organizations both large and small.
Zuplo participates in GitHub's Secret Scanning program to detect if your or your customer's API Keys are checked into source control on GitHub.
If an API Key for your Zuplo API Gateway is compromised by checking it into a public or private GitHub repository, Zuplo will be notified and can take action immediately.
Leak Notifications
You will receive notifications of API Key leaks via email as well as in-app notifications. You can customize the notifications settings by going to your Profile in the Zuplo Portal.
For security reasons we don't include the full API Key in the notifications we send. If you need the full API Key please contact support.
Recommended Actions
If you receive an alert that an API Key has been leaked, we recommend taking one of the following actions immediately.
Notify Your Customer
Notify your customer and ask them to login to your Zuplo powered developer portal and instruct them to roll the API Key. This way the old key is revoked and they get a new key.
Roll the API Key
You can use the Zuplo API to roll the API Key for the consumer. This will create a new key and revoke the old key.
Code