Possible API Key Leak?

Hello all, so I may have found something interesting by dorking on Github for a company I’ve been working on. In two separate python files, both contain:

`header = {'api_key': 'abcdef-ghijkl-mnopq-rstuvwxyz', 'email_id': 'email@company.com'}`

I really have no idea how to verify if that API key is valid though. My Google-Fu is seriously failing me right now. I feel like I’ve been staring at this and researching APIs for far too long… The files were both from July 2018, so I don’t know if this is a red-herring, but my API knowledge is laughable at best. Although, I’m learning which is really all that matters!

Hi @pisteuo,

Usually, API keys are supposed to be public. In the other hand, API secrets or similar are not supposed to be public. If you don’t know for what service is that api_key, it’s difficult to find out if it’s worth reporting or not.

1 Like

@stefanofinding, thank you for the reply! I dug a little further and this wasn’t an issue. Thanks again

1 Like

You’re welcome!
Okay, I hope you find something soon.
Best.

Thank you so much for your great information, It is too useful for me.

1 Like

I’m glad to hear that!

I’ve found on a website before in a data leak on a page, it had user information from database and they included a bit too much like user email, user ip, user and one was API_KEY = “1d3d43fr3rf33”
The API_KEY turned out to be the actual authorization token
Authorization: Bearer 1d3d43fr3rf33
Just saying, make sure it is just a public api and not a valuable bug.