API Key Format
Zuplo uses a specially formatted API Key structure that allows us to partner with GitHub's secret scanning to protect your users from accidentally leaked keys.
We think the safety of your API key consumers is paramount, so this feature is available to all Zuplo customers, including free.
API Key Leak Detection
API keys should never be stored in source control. Accidentally committing API keys to source control is a common attack vector that leads to compromises of organizations both large and small.
Zuplo participates in GitHub's Secret Scanning program to detect if your or your customer's API Keys are accidentally checked into source control on GitHub.
If an API Key for your Zuplo API Gateway is compromised by checking it into a public or private GitHub repository, Zuplo will be notified and can take action immediately.
Customers on paid plans can be automatically notified by Zuplo when one of their API Keys is found to have leaked. Zuplo supports email, Slack, and webhook notifications.
For security reasons we don't include the full API Key in the notifications we send. If you need the full API Key please contact support.
When an API Key leak is detected you will receive a slack message with details about the leaked key, the project, etc.
Zuplo can email you in the event of an API Key leak. We recommend setting up an alias email that is then sent to the relevant people. Contact firstname.lastname@example.org to enable email notifications.
The notification emails will come from
email@example.com and contain details
about the leaked key, the project, etc.
Zuplo can send a webhook to the public endpoint of your choice (like your own Zuplo Gateway!) to notify you of leaked API Keys. Simply contact firstname.lastname@example.org with your webhook url.
The payload is sent as a POST in the following format:
"expiresOn": "no expiration"